The information security risks posed by insiders are a threat to organisations across all industry sectors and disciplines. Through access to information systems afforded by their status, insiders can cause a loss of intellectual property with damaging effects even greater than those of a large external cybersecurity breach of personally identifiable information. With studies showing that 55 per cent of all attacks come from insiders, countering insider threats is an issue that can no longer be ignored or minimalised. Organisations must adapt their security models to properly counter those threats; otherwise, they risk suffering irreparable damage to their finances and reputations.
The following are the key considerations you should bear in mind when laying the foundation for a solid counter insider threat programme. From there, you can begin framing out defensive capabilities through a number of activities designed to allow any technical solutions to target the right data and areas within your organisation.
1. Acquire an in-depth knowledge of your data:
According to a survey of senior corporate security executives sponsored by Nuix, 96% of organisations recognise the importance of protecting their information ‘crown jewels’, including personally identifiable information, payment card information and intellectual property. However, nearly one-third (31%) of respondents could not say where this critical value data lay across the enterprise, who had access to it or what people did with it after they accessed it.
This is one of the main reasons organisations take so long to detect and remediate breaches; they don’t know where their high-value or high-risk data is stored, so they cannot target those systems for investigation.
Before doing anything else, it’s vitally important for your organisation to catalogue the information your systems contain by completing a data map and full access audit. Your organisation must know what server data is on, where it is physically stored, and who has access to it. Once you have a plan in place, you should regularly review and update this information to make sure it is always up to date.
- Identify your crown jewels:
When organisations try to protect too much information too soon in the process, they run the risk of spreading precious resources too thin. Instead, focusing on their “crown jewels” – high-value and high-risk information – enables you to create priorities by considering which applications or data would cripple the organisation if it was compromised and place those specific items at the top. While massive databases of customer data are very important, sometimes specific documents like strategic plans or company financials would prove more damaging if they fell into the wrong hands. This “critical value data” is easier to identify and protect than huge sets of data, which can come later on in the process.
- Technology should support a strategy and not be the strategy:
How can an organisation ever begin to determine which tool will be right for it if it doesn’t know what it needs the tool to do? Most organisations know that they need tools to protect their critical value data. The problem is, they don’t know exactly what they need beyond vague ideas such as ‘a tool to counter cyber threats’ or ‘to identify and counter the potential of an insider threat.’
Those who begin the quest for better security by asking “What tool should we purchase?” have a long, uphill and difficult road ahead of them. You and your organisation are better-served to start by defining, planning, organising and prioritising clearly written policies that define the ground rules the counter insider threat program should follow, expectations from employees and escalation paths when a potential insider is discovered. Once this is done, you can then move on to acquiring the relevant tools, safe in the knowledge that they will support your policies and needs.
- Invest in training and education in order to avoid distrust and avoidance:
Employee referrals and support are just as important as monitoring tools, and a successful employee education programme helps to strengthen all other counter insider threat measures. However, precisely because counter insider threat programmes are about people, senior leaders, mid-level managers and even employees react to them innately, sometimes inordinately, with distrust and avoidance. Many of their concerns are valid, which is why we must design and implement insider threat programmes with care and understanding in order to prevent employee distrust and avoidance. The key is to design a programme that contemplates privacy and civil liberties while at the same time protecting the organisation’s critical value data. It’s imperative to highlight that the programme is not “Big Brother” watching, but rather a well-meaning and thoughtful practice that protects and even empowers employees across the organisation.
Most organisations that create programmes tend to put them beneath a technical or security department, thus diluting their significance and distancing them from the C-suite. This also has the unintended consequence of forcing upon the programme a technology focus, which usually further hampers its ability to succeed. Building and implementing an effective counter insider threat programme is about technology, and also about people. Getting buy-in from all departments ahead of time, answering operational questions, gaining approvals and setting authorities in place all make for a smooth operation.
Creating an effective programme takes careful planning, intelligent processes, the right technology implemented for the right reasons, and dedicated staff and management. Attacks are going to happen – the only way to counter them is by ensuring everyone works together with no ulterior motives, without being held back by bureaucracy or bottlenecks. Just because this is difficult, it does not mean that it’s impossible.
