Anyone with access to your organization — employee, contractor, former employee, etc. — poses a potential risk to the enterprise. A well-intentioned employee holding the door open for a stranger; a contractor getting his laptop with private company information stolen at the airport; a disgruntled cubemate posting company information on her social media platform of choice; a finance worker unwittingly giving password or computer access to a fake IT employee. The list goes on.
Insiders have always been potential risks to an organization, and yet with increased work-from-home situations and additional stressors heightened by the COVID-19 pandemic, security incidents from insiders continue to accelerate. According to the Ponemon Institute’s 2020 data, the number of reported insider incidents increased by 47% between 2018 and 2020.
In the past year and a half, there was the story of an ex-employee tampering with a Kansas water system; countless stories of employees that stole or have facilitated fraud schemes surrounding the U.S. Paycheck Protection Program and other government-funded COVID-relief programs; and the Tesla employee that was offered $1 million in bribe money to install ransomware on the company’s networks. The truth is, insider risk looks incredibly different from one organization to another and affects every enterprise differently. Yet, no enterprise, organization or agency is immune.
“Especially over the past year, in hospitals and healthcare settings, we are seeing concerns over insider theft of PPE, along with risk to the delivery, transport and administering of the COVID-19 vaccine, so the landscape has changed a lot for us,” says Ken Harr, FBI-NA, CHPA, Corporate Director and Chief Security Officer at Ballad Health, Johnson City, Tenn. “Still, I would say that when it comes to physical security, most insider incidents are a result of good intentions from team members but lack of awareness.”
Michael Maloof, Vice President and Head of Global Physical Security Operations at Oracle, Austin, Texas, says that the potential for insider incidents has changed over the past year and half. The focus on protecting 600+ offices with physical security technology and officers, he says, has evolved into also protecting many of the 130,000+ employees the company has working remotely.
Regardless of the organization, the risk of anyone with access to the business or agency needs to be defined. “Every time I think about defining insider threat, I recall how we struggled to define counterterrorism following 9/11. When you ask, ‘What is Insider Threat?’ I would say it depends on who you are talking to,” says J.T. Mendoza, Director, Global Security, CGI, headquartered in Montreal, Canada. Prior to joining CGI, Mendoza served as Deputy Director of the U.S. Air Force’s Insider Threat Hub. “Defining insider threat hasn’t been as challenging as counterterrorism but the definition does tend to change from organization to organization. Everyone leans to what they know…some define it from a cyber perspective, some lean toward physical security and others see it through a counterintelligence/espionage lens. I’ve been privileged to work in all these domains and look at it from a root cause perspective — the trusted insider.”
Who Owns Insider Risk?
Because of the broad nature of insider threats, many insider risk programs or inside threat investigations or management are aligned with different departments, including security, IT, HR or legal. “This is usually dependent on what function decides to initiate the effort,” Mendoza says.
One of the best practices for a robust insider threat program within the organization, however, is to have a defined program with the involvement of all functional groups having defined roles, responsibilities and actions, while sharing data for greater situational awareness.
“The security team, IT, HR, legal, audit and others are all really SMEs in their own areas, so their roles should be part of a formalized program for this to work,” Reese Huebsch, Director of Program Development at consulting firm Atriade explains. “There must be a core leadership team with a clearly defined strategy and all information has to be shared to make sure that happens. Security can champion an insider program from a risk perspective, but in order for the program to work, you need that broader group to be engaged, supporting and sharing information.”
Indeed, Huebsch says, different departments hold the keys to puzzle pieces of information that together can make for a more robust insider risk detection program than apart. “For example, IT or security may already have existing detection tools to protect critical assets within the organization. Physical security has a lot of behavioral data from badge swipes and other technologies. Executive protection may already be monitoring where people are going. HR has information considered behavioral as well, particularly regarding someone’s departure from the organization, and all of those things are extremely relevant in proactively protecting the business.”
Low-Hanging Fruit of Mitigation
One of the low-hanging pieces of fruit when it comes to insider risk mitigation within an organization is awareness and education — an area perfectly suited for security to take a lead role in. “For the majority of incidents, awareness and education are key and can really reduce those most common threats, such as propped open doors, thefts, sharing or not returning keycards or keys, for example,” Harr says. “It’s also important to bring awareness to a culture of See Something, Say Something.” At Ballad Health, Harr and his team have posters with reminders to contact the security team if they see anything that warrants a closer look.
In terms of training security departments and security officers on insider risk mitigation, Harr says awareness training on suspicious or concerning behaviors or events that elevate the risk profile of an individual is a worthwhile, proactive strategy for mitigation as well. “Educate those members on disgruntled behavior, anxious behavior, and other actions that could lead to trouble, such as attempting to bypass security, violating policies, or an employee who is planning to leave the organization,” he says.
For the majority of employees within an agency or organization, sending a clear message that everyone can pose a potential problem to the organization whether they intend to or not, can reduce risk and go a long way toward incident reduction.
At Oracle, Maloof and his security team try to get out in front of other employees, making connections and enabling the organization to understand that the security team is there to help, no matter the issue. “Being a visible presence to employees and building trust and communication lets them know we are here and accessible anytime and we will respond to anything,” he says.
Maloof also works with managers, HR and other departments to extend security’s reach and engage them to be extra eyes and ears to prevent and report potentially troubling behavior. “If you are looking at preventing inside or outside threats, it can’t be done in a security silo,” Maloof says. He says a customer-service-oriented security team, coupled with strong partnerships among departments and other employees can help employees remember to come to security when something arises.
Assessing the Threat
Mendoza says one lesson he learned years ago from evolving insider threat programs is that many systems in place to identify such risks are focused on identifying issues too late in the process.
“Many thresholds were established after someone had significant delinquencies or after an investigation was open. These types of thresholds were too far to ‘the right of bang,’” he says. According to Mendoza, moving to a proactive approach requires focusing on taking the entire risk equation into consideration: Risk = Vulnerability X Threat X Consequence, instead of just focusing on threat.
“To be honest, even today, many programs struggle to implement a proactive model, but I believe it’s because we’re too focused on threat and not risk,” he continues. “You see, all employees aren’t threats, but we all inherently bring risk with us — knowingly or unknowingly. Can that risk manifest as a threat? Sure, but if detection happens early enough, it can be mitigated and/or managed…Focusing on risk versus threat allows you to put thresholds in place further left along the spectrum of the critical path, regardless of whether the behavior is detected through technical or physical means.”
Perhaps the most important way to establish a proactive approach to insider risk mitigation, Mendoza says, is to establish a risk tolerance depending on your organization. “This should really come from the executive sponsor of the program or the C-Suite/Board. I would recommend establishing thresholds and policies that support what will be responded to and who will respond. In my opinion, if you take a risk approach, then you can respond as soon as you detect and identify a risk. There is no overreaction because the approach is to manage the risk — not neutralize the threat,” Mendoza says.
Technology as a Tool
Another helpful tool for insider threat mitigation is technology. According to Harr, access control, for example, is important for risk mitigation. “It helps you control where people can go and also controls entry points. Door prop alarms will alert you if doors are left open and video surveillance can help with detection and investigation,” he says.
Harr adds that video surveillance and analytics can detect suspicious activities or enable operators to track a person of interest to see what they are doing and where they are going. “And, of course, monitoring social media can help you find out a lot of things about people and what their intentions are,” Harr says.
Maloof says that formalized, efficient procedures for onboarding and off-boarding employees are imperative for ongoing security, using technology to streamline credentials, password protection and network or facility access. “As a technology company and cloud provider, we have the luxury of access to technology. The key is to ensure that employees have appropriate access to do their job and don’t have access to areas they don’t need,” he says.
While technology can be extremely helpful and daresay critical for some types of insider risk mitigation, security leaders caution that no technology will solve this issue completely.
“There’s so much information out there, it’s impossible to aggregate, analyze and respond in a timely fashion without some type of [technological] assistance,” Mendoza says. “But, be careful believing the cure is technological in nature. We’re talking about humans and each person is different. Therefore, you need a measured, customized approach to the challenge that is focused on your workforce. In fact, I’d argue frontline leadership and culture is more important than any technology you can buy.”
Maloof agrees. “Our job is to ensure employees feel safe and secure no matter what, and when they are, happiness and productivity increase and the insider threat decreases.”