Let’s start with the good news. Malicious insider activity is relatively rare. Unfortunately, even though outsiders account for 85 percent of cybersecurity incidents, the damage often is substantially greater when an insider strikes. In order to best protect your company against internal abuse, it is helpful to understand the nature of the threat and to consider applying risk-based approaches to address the problem.
Nature of the Threat
Insiders have a unique opportunity to cause harm because a corporation’s internal security measures typically are easier to bypass than externally focused perimeter defenses. By operating from within a company’s offices and networks, insiders not only have enhanced access to their target, they also have the ability to observe technical gaps and lapses in policy enforcement, and to discover where the crown jewels are located. Insider risk also includes well-intentioned employees whose conduct unwittingly causes or contributes to a security incident.
Insider Threat by the Numbers
Similar to other criminal activity, the insider threat includes a wide range of actors, motives and techniques. The Software Engineering Institute at Carnegie Mellon reviewed more than 800 insider threat cases, and found that 85 percent of insider threats are employees of the victim organization. Contractors, subcontractors and trusted business partners rounded out the remaining 15 percent. The majority of incidents involve fraud (44 percent of the time) and the theft of intellectual property (16 percent). Nonetheless, a troubling 25 percent of the time, the insider’s goal is to conduct sabotage. Interestingly, most insiders (72 percent) committed their crimes during their normal working hours. However, 28 percent of insider crimes occurred before or after the employee’s normal working hours. Insiders are far more likely to act onsite at the victim location (70 percent of incidents) but, significantly, many act from remote locations (24 percent) or from both onsite and remote locations (6 percent).
Organizations should consider creating an insider cyber threat program, led by a senior manager. This program would ensure that policies, resources and oversight are in place to assess and implement company controls that specifically deter, detect and mitigate the risk from employees, contractors and business partners. In addition to a company’s standard information security practice, insider threat programs should consider incorporating the following:
- Pre-employment screening requirements, to include when and how to use personnel background checks.
- Physical property inventories and audits that assign employee responsibility for their desktops, laptops, removable media, security tokens and access cards.
- Continuous monitoring, logging and automated correlation of endpoint activities in order to: establish a baseline of normal behavior; provide real-time detection and alerts of anomalies; track data exfiltration methods, including the use of encrypted sessions, sending data to online storage providers, sending email with attachments to personal accounts, high-volume printer activity, and the use of removable media; implement rule-based mitigation responses; perform real-time damage assessments; and enable forensic analysis for use in disciplinary or criminal proceedings.
- Enhanced auditing of higher-risk users, to include employees who: previously violated IT security policies or encouraged others to do so; express long-term job dissatisfaction; seek sensitive business information not required for their job; are placed on a performance improvement plan or who are pending termination; and are more likely to be targeted through social engineering.
- Enhanced access controls and auditing of privileged users, to include a requirement that at least two individuals be present to complete certain high-risk tasks.
- The ability to aggregate and correlate network logs, facility access logs and personnel records of higher-risk users to identify known or suspected misconduct.
- Initiatives that promote the resolution of employee grievances and protect whistleblowers.
- Employee awareness, training and testing specific to identifying and reporting insider threat indicators.
A successful insider threat program must include active participation from a company’s physical security, personnel security, information technology, human resources and procurement/sourcing staff. To be lawful, especially as it relates to the privacy and civil liberties implications of background checks, electronic monitoring and the sharing of sensitive personnel data, the program requires strong support from your legal department. Finally, as is the case with all risk management initiatives, the first step is for senior leadership to prioritize what data and systems require the greatest protection. After corporate priorities are established, applying proper controls becomes both manageable and worthwhile.
About the Columnist:
Steven Chabinsky is General Counsel and Chief Risk Officer for cybersecurity technology innovator CrowdStrike, which provides incident response services, cyber intelligence feeds, and a next generation, big data platform for continuous threat detection, attribution, and prevention. He previously served as Deputy Assistant Director of the FBI’s Cyber Division.