As general awareness of the scope and source of cyber threats becomes more widespread, we realize it’s not always the mysterious foreign black hat that should worry us most. It’s a tale as old as time itself: the mole, the snake, the gullible stooge—the threats inside your walls can be even more damaging than the enemy at the ramparts. The more we understand about how cyber-attacks originate and propagate, the more we are shifting our focus to insider threats, both malicious and accidental.
While estimates vary, Information Security Forum analysis of the 2015 Verizon Data Breach Investigation Report has found that up to 54 percent of incidents reported in 2014 were a direct result of insider behavior. Numerous factors are increasing organizations’ exposure to threats posed by insiders, and technical controls are limited. As enterprises grow their digital business, they realize that employee access to digital resources magnifies the damage an individual can do, and how covertly they can do it. To combat these threats, organizations must invest in a deeper understanding of trust, working strategically to assess and improve the trustworthiness of insiders.
Leaders who ignore or encourage inappropriate insider behavior should expect financial, reputational or legal consequences.
Most research on the insider threat focuses on malicious behavior. However, the threat is considerably broader. Insider negligence and insider accidents comprise a greater and growing proportion of information security incidents. Chief Information Security Officers (CISOs) who limit their thinking to malicious insiders may be gravely miscalculating the risk.
The insider threat has intensified as people have become increasingly mobile and hyper-connected. Nearly every worker has multiple, interconnected devices that can compromise information immediately and at scale: impact is no longer limited by the amount of paper someone can carry. Simultaneously, social norms are shifting, eroding loyalty between employers and employees. A job for life is being replaced by a portfolio of careers.
So how do organizations determine who is trustworthy enough to be let inside – then build and maintain loyalty with a transient workforce?
How do organizations manage risk while minimizing costs related to vetting, security checks, and identity and access management?
Trust is a Factor
Organizations recognize that they need to trust insiders to behave appropriately. Workers undergo background checks before starting, and may earn greater trust as their service and seniority increases. Organizations also require professional certifications for certain roles and provide training courses to equip their people with knowledge and skills the need to remain trustworthy and develop strong security habits.
Organizations’ reliance on trust as a control has increased dramatically with advances in information technology and changing work environments. More and more people are being given long-term access to organizations’ critical systems – while there are more short-term contractors and, according to Carl Colwill, it is “now more normal for staff to move between organizations and regions on a regular basis.”
How many organizations truly understand the aggregate risk from the trust they put in their people, from system administrators to everyone who is given a laptop or allowed to use their smartphones and tablets at work?
Insider Risk: Understanding Impact and Likelihood
To understand the risk posed by insiders, businesses must understand both the impact and likelihood of insider threat-driven incidents. In other words, ask yourself what happens when employees break trust, and what’s the empirical probability such incidents will occur in your organization?
Workers need privileges to perform their roles responsibly. A payroll manager, for example, has an obligation to ensure employees are paid the correct amount, which in turn requires access to sensitive salary information.
Privileges should be accompanied by technical and management controls, which are designed to limit risk. Access to payroll data is restricted to authorised individuals and strategic segregation of duties can ensure that sums are valid before being paid, reducing the likelihood of fraudulent payments.
There are limitations to these controls, so privileges always come with some degree of trust. Organizations are trusting that a payroll manager will not divulge salary data maliciously, negligently store it in an unauthorised cloud, or accidentally email it to a list of inappropriate recipients.
ISF Member organizations are adept at estimating impact, supported by tools including the Business Impact Assessment and Business Impact Reference Table highlighted in the ISF Information Risk Assessment Methodology 2 (IRAM2).
Likelihood is more difficult to determine. The likelihood of an insider threat being realized can be thought of as the probability that an insider will behave in a way that does not uphold the trust placed in them. Numerous factors influence whether or not trust will be upheld.
Previous ISF research on insider threats described a useful model to examine what happens when people have motive, opportunity and means. These ideas can be extended by considering how trust plays a role in each type of risky behavior:
Malicious: For malicious incidents, the breach of trust is often clear, as it was when an employee kept sensitive proprietary information after termination and provided it to a competitor where he became a paid consultant.
Whistleblowing is related; however, the intent tends to be based on ideologies or morals. For example, Edward Snowden, who gathered and leaked classified documents on government surveillance, asserts that he acted out of loyalty to defend the US constitution from illegal acts, not out of malice toward his organization.
Negligent: Negligent behaviors often occur when people look for ways to work around policies they feel hinder their ability to carry out their responsibilities. Insiders are expected to follow policy, but may also receive contradictory instructions, such as the need to meet a deadline or financial target.
Most workers recognize the importance of compliance and have a general awareness of security risks. Unfortunately, their workarounds can be less secure than they realise. One worker justified violating policy and using unencrypted USB drives because they are easier to obtain and use than encrypted ones. He mistakenly believed that security could be preserved by simply deleting files after use.
Insufficient oversight can lead to negligent insider risk; negative incidents often call attention to board members’ obliviousness to widespread illegal or risky activities.
Accidental: A large majority of ISF Members have said that accidents were more common and of greater concern than malicious acts. Accidents also form a significant portion of information security incidents included in Verizon’s 2015 Data Breaches Incident report.
- More than 100,000 incidents are grouped into nine basic patterns, the largest of which is miscellaneous errors at just under 30 percent.
- Three of the top four categories of miscellaneous errors are accidental behaviors, including misdelivery, publishing error and disposal error.
Managing Insider Risk and Building Internal Trust
Managing risk posed by the insider threat should extend across all three types of risky behaviour: malicious, negligent and accidental. Once the risk is assessed, immediate results can come from applying technical and management controls, and from aligning roles, responsibilities and privileges throughout the employment life cycle.
But that alone is not enough. Businesses must nurture a culture of trust, one where the organization can trust its insiders – and insiders can trust the organization in return. Organizations with a high exposure to insider risk should expand their insider threat and security awareness programs.
The trust organizations are placing in insiders has grown with advances in information technology, increasing information risk and changing work environments. This trend will continue as the volume of information insiders can access, store and transmit continues to soar – and mobile working for multiple employers become the status quo.
Recognize that technical and management controls have limitations. Organizations need to trust their insiders to protect the information they handle – and will always face some risk of that trust not being upheld. Remaining purposefully engaged with employees through ongoing oversight and training can help management detect risky activity before it’s too late.
Finally, embrace a deeper understanding of trust. Organizations must understand where and how they are trusting their insiders – and must augment technical and management controls by helping people to become more worthy of the trust placed in them.
Equally, leadership should ensure their organizations are worthy of trust in return.