When we think about Insider threats, thoughts of malicious behavior, theft of trade secrets and crown jewels, exfiltration of data, customer information, etc., we tend to think about. Insider threats are not just about malicious and nefarious, but the more significant subset of incidents result from the unintentional or accidental insider – your users. The recent DBIR Verizon report indicated 85% of incidents result from unintentional insiders, not malicious. Attack vectors will likely stay constant – ransomware, phishing, account compromise, malware, exposed credentials, etc. The cause of these attacks and compromises (and eventually data breaches) is due to humans.
Insider Threat Program
Suppose your organization consists of a large enterprise with multiple regions globally, and your business contains anything sensitive or proprietary. In that case, you are the perfect organization that should be implementing some level of insider threat program—examining the three core facets of any risk program – People, Process, and Technology. This will be paramount to your Insider Threat program too.
To take on the mass responsibility of building a worthwhile Insider Threat Program, it will be helpful to create a working group or committee that includes your business partners that will comprise such a program. This includes human resources, security, risk management, information/cyber security, information technology (IT), and legal.
The next important step will be to identify what events (or incidents) could fit the description of an insider threat. Any plans or processes should identify various events, if they would be categorized as an inside threat, and whether they would be deemed malicious or unintentional. Incident Response plans are a great place to categorize your incident types and severity levels. An asset inventory or a comprehensive asset inventory should be maintained, especially to identify your protected and critical assets; trade secrets, private and confidential company information, unique recipes for products/manufacturing, and anything of value. Then, understand where this data resides in your organization and asset owners, if applicable.
Additional aspects of building your Insider Threat Program lie around identifying an insider threat response team (this could be a similar team handling incident response for cyber events), identifying proper technology and tools for identification, prevention, prediction, and detection of insider threat cases. Also, having an investigations team assigned to insider threat cases will be helpful too.
People Behavior
In addressing insider threats resulting from the workforce, and more importantly, Unintentional insiders, you should review your people (users) in great detail. Why do people do what they do? We know employees aren’t perfect. We trust that our users have the best intentions at work, but sometimes, the best choices turn bad, and how the company deals with those bad actions is most important. Organization leaders are starting to take notice of their workforces—taking proactive measures, reviewing user access to data and systems, knowing the criticality of both, and where that critical data lives in the environment. Understanding and identifying what critical assets are present in the organization is an important step. Then comes ideas to enforce good security practices, hoping that these actions could turn something negative into a positive.
Proactive vs. Reactive
The terms proactive and reactive have plagued security teams for years. How can my security team be more aggressive and get out in front of security incidents? But, in reality, most security organizations run on a primarily reactive operation. The security team deploys SIEM, SOAR, Cyber Threat Intelligence, UEBA, and other tools and methodologies to detect and respond quickly. There hasn’t been much thinking on proactive and predictive – specifically – Can I identify my riskiest users and take action? How do I protect the organization from these risks, even before an incident occurs? Can I identify my risks, threats, and even vulnerabilities?
There needs to be a concerted and well-strategized effort to improve risky human behaviors and stay ahead of incidents. The first and foremost way to identify risks is through some level of assessment. A security risk assessment is a great way to identify your organization’s maturity compared to a security framework (e.g., NIST 800-53 or NIST Cybersecurity Framework) and the various security controls.
A security risk assessment outcome should inform you on the level and likelihood of risks to the organization and a risk treatment plan; a list of prioritized risks and remediation. As part of this overall risk assessment, taking things a bit further to concentrate on workforce risk could be helpful. First, understand that users who maintain a high level of access in your organization (e.g., administrator accounts or privileged access) are typically the highest risk for an organization. Then understand your organization’s most significant risks, compromised of threats (known, unknown, or viable) and vulnerabilities in your organization. Then, as part of the assessment process, understand and identify user actions/behaviors as it relates to risky actions; e.g., succumbing to phishing tests, positive clicks on real phishing emails, downloading malware, or even the attempt to download malware (but the site was blocked) and other risky actions that could cause security incidents.
CISOs and other senior security and risk leaders should already be undertaking a risk assessment. This is an ongoing and essential step for any organization. Staying ahead of unintentional insider threats and workforce risk will assist organizations in identifying and preventing incidents before they occur.