Safeguarding against the insider threat

The insider is still one of the most vulnerable elements of cybersecurity and it was the discussion of the recent Modern Workplace webcast on cyber intelligence and the human element.  Insiders are those who are authorized to work on company systems or in company facilities and they include trusted employees and contractors.  Whether it is through human error, social engineering, or intentional action, insiders are the cause of a significant portion of malware infections, data breaches, information theft, and privacy violations.

There are some key strategies you can use to safeguard against the insider threat.  First, technical controls can reduce the burden placed on insiders or minimize the potential damage done by insiders.  However, the insider threat cannot be solved entirely by implementing more technical controls.  No, human behavior is far different from a computer system and cannot be changed with by flipping a switch or changing a bit.  Companies need effective security leadership, security awareness training, and assessments and metrics.

Technical controls

Technical controls need to be implemented in such a way that they make it easy for users to do their job, while still remaining secure.  Systems that become too difficult to use when security controls are applied are the systems that will see less use as employees find workarounds.  For example, a company may implement more stringent password policies and change intervals only to find that users are storing the passwords unencrypted in phones, memo pads, or on the calendar at their desk.

Not implementing technical controls can have the same effect.  A company without adequate spam filtering could see users utilizing personal cloud email accounts for company email to avoid having to sift through mass amounts of spam.

Security leadership

Leaders should set an example for other employees and their subordinates by following secure computing practices.  They can also set an example by choosing where to spend money.  Information security needs to have an adequate budget and spending should be consistent and proactive rather than spike immediately following a security incident.  In the Modern Workplace webcast on cyber intelligence and the human element, Phil Ferraro, Nielsen CISO, said that it is essential for business leaders to understand that cyber risk is business risk.  This is more than an IT problem.

Awareness training

Awareness training is essential for teaching employees how to do their jobs safely.  Almost everyone uses a computer on the job and this means that they are interacting with organizational apps and data.  End users need to understand how to recognize phishing messages, including targeted spear phishing messages, as well as other social engineering schemes such as fake social media accounts, unsafe instant messages and text messages, or deceptive phone calls and voice mails.

People need regular reminders in order for information to stay top of mind.  It is not enough to conduct training once a year.  Training should be augmented with emails that inform users of new techniques and attacks or remind them of what they learned in training.  Posters and signs can also help employees remember their training.

Assessment and metrics

Follow up security awareness training with assessments such as online quizzes or questionnaires.  You may also consider conducting social engineering penetration testing by phishing your own users.  These assessments can help identify those that still make mistakes or do not fully understand the material so that you can focus additional training on those users.

It is also helpful to establish meaningful metrics on security performance.  Report on these metrics in company meetings so that employees know that it is important to the organization.  Use security metrics in employee reviews and reward employees and groups when security goals are met.

Special thanks to Microsoft Office, the sponsor of this article.  As always, all thoughts and opinions are my own.

Who’s stealing your data?

Here is a fact that many of us would like to forget.  Most data theft occurs by insiders.  This is often termed the insider threat or the human threat.  Insiders are the people who would usually be considered very trustworthy.  However, all it takes is some incident or life change to occur that can motivate someone to commit a crime.

An evaluation of cases of insider theft has provided statistics useful in identifying the types of employees who are most likely to threaten information security.  Surprisingly, it’s not the underpaid computer guru working in the server room.  According to data from the Software Engineering Institute at Carnegie Mellon University, information theft is more likely to occur with those who serve in a managerial capacity in a non-technical role.  These individuals are usually between the ages of 26 and 40 and they are more likely to steal business data than Personally Identifiable Information (PII).

Equally important is that very few data thefts were discovered by the use of technology.  Rather, security awareness and incident response played a greater role in the detection of these crimes. Unfortunately, these competencies are neglected in many businesses.  The majority of cases were detected by employees who reported suspicious or unusual activity, customers who complained or by auditors.

Ensure that your incident response plans include response to the insider threat.  This includes computer forensic imaging and proper evidence handling procedures since these cases often result in litigation.  Train employees on how to recognize suspicious activity and whom to contact when they observe it.  Lastly, set up methods for anonymous reporting and whistleblowing.