CSOs and CISOs face a number of substantial challenges these days and by all accounts the list of challenges is continuously increasing. Most subject matter experts believe this list will only grow in the foreseeable future. That being said, the debate continues as to what is the greatest challenge for CSOs and CISOs. However, few dispute that the challenge of dealing with insider threats is right up at or near the top of the list. Like most security threats, the insider threat issue is highly dynamic and adds to the challenge of dealing with this ever present and changing list of top risks.
The insider threat problem can be broken down into three specific motivations. The first, and perhaps the most frequently discussed, is an employee that takes sensitive or confidential information from the organization they work for and uses it for personal use or gain. For example, a sales person decides to leave Company A and takes the customer list and contact information for those customers with them when they join Company B, a competitor. Second is the insider that inappropriately acquires or out and out steals proprietary or trade secrets from a company they work for and sells, or in some cases gives it to a competitor or foreign government. The third insider threat scenario accesses and changes data or sabotages the organization’s systems. Many times this is in retaliation for some action or lack of action what wronged the employee perpetrating the act(s). The tactics, methods and motivations continue to change with no end or even a slowdown in site.
Speaking of ever changing, recent thinking has concluded that the issue of insider threats does not always involve malicious actors. That has resulted in security experts coining the term ‘accidental insider’ threat. A recent study found that 36 percent of security incidents/breaches come from the actions or inaction of careless user. This is perhaps the largest subset of the overall problem. These individuals unknowingly do something that corrupts the organization’s information, compromises a system or systems, or in some cases, allows outsiders to take and hold the system/data hostage. All of this has placed insider threats higher up on the CSO’s and CISO’s agenda.
Rising up on the list has placed a great emphasis on addressing the threat from insiders. Multiple vendors have insider threat detect and response systems. That being said, many have come to wonder if this is really where CSOs and CISOs need to start. Thought leaders are pointing to a starting point that takes a different direction. They now point to the Human Resource department. That’s right, HR! At a recent conference, one conversation caught my attention. As one CSO put it, “It is better to keep them from getting in than to try and stop their actions once they are in. While you have to do both, it is better to keep them outside.” To do that, CSOs and CISOs must team with HR and work closely together to establish a proper vetting process for ALL individuals that work directly or on a contract basis as well as those that may work for third parties and have access to one or more of the organization’s facilities.
Given the continued increase in insider incidents, enterprise security must bolster the organization’s defenses against this threats. Don’t be fooled when you see that many organizations downplay this issue. It is a tough problem to address. The solution is a broad-based approach that includes behavioral and organizational issues, and must be addressed by policies, procedures, and perhaps some new technologies. This is now a strategic imperative for CSOs and CISOs. The best advice is to re-evaluate your relationship with HR and the hiring policies that are in place. Team with them to address this significant and growing problem.