The COVID-19 pandemic has challenged both commercial and government organizations to grow their remote workforces. As organizations rush to find suitable online meeting tools, virtual private networking (VPN) technology, and sharpen remote workforce policies – investing in insider threat policies and tools should also be a priority. Without in-office interactions, gone are the days of simply relying on human resources’ (HR) observations or employee reporting to identify insider threats. With unemployment at over 13%, prospective employees are also more willing to exaggerate applications, resumes, and other self-reported forms. While there is a lot you can do to mitigate insider threats, prevention is still an inexact science with known shortfalls. This article will address:
- Damage insider threats can cause
- Considerations in preparing an insider threat plan
- Processes, data, and technologies that can enhance insider threat prevention
- Known security blind-spots for consideration
Damage Caused By Insider Threats
Why are insider threats worth your time? Suffice to say, there are numerous articles and studies on exactly how dangerous successful insider threat attacks can be – so I will keep this succinct. According to an IBM and Ponemon Institute’s annual Cost of a Data Breach Report:
- Insider threats accounted for 50% of all breaches – 49% related to negligent employees or technical errors and 51% from malicious insiders.
- Over 50% of data breaches in the study resulted from malicious cyberattacks and cost companies $1 million more on average than those originating from accidental causes
- The average cost of a data breach in the US is $8.19M – while the global average cost is $4.45M
Types of Insider Threats
Not all insider threats are created equal. Given the unpredictable nature of life and people, insiders can be a blend of different categories of people or quickly move and change between categories altogether. Furthermore, these roles can vary somewhat according to industries or cultures.
- “Ignoramus” – untrained and no perception of consequences
- Sloppy – trained and aware – but careless due to extenuating circumstances
- Compromised – under pressures to do something they normally wouldn’t
- Malicious – driven by emotion, greed, or anger
- “Infiltrator” – state-sponsored or activist trying to destroy or steal confidential, proprietary information
Agreeing on the definition of an insider threat is often the first step in prevention. The Intelligence and National Security Association (INSA) defines an insider threat as,
While this is a broader definition, it passes the common sense test and helps organizations understand what they’re up against – including everything from workplace violence to espionage. If organizations cannot agree to what they are trying to prevent, then it will be extremely difficult to agree on an insider threat plan and implement prevention technology.
Once a definition is adopted, organizations can do a lot internally to ensure fundamental insider threat prevention is in place. Note that these steps should be complete prior to investing in prevention technologies. These organizational steps include:
- Intent: Ultimately, the intent of a good insider threat plan includes helping employees and is not simply about finding “bad actors”. Based on the tools and technology employed, an insider threat program will predominantly uncover employees who are having medical, financial, or other challenges. Therefore, it’s critical for organizations to consider the range of circumstances faced and ensure that plans reflect empathy towards employees and not just punitive actions.
- Establishing an Insider Threat Advisory Committee: Senior stake-holders from across the organization including HR, security, IT, and the executive leadership team who will work together to build an insider threat plan, policies, and decide on associated legal or ethical decisions
- Building an Insider Threat Plan: This includes standard operating procedures, guidelines, and responsibilities for preventing insider threats. The following necessities are also worth mentioning:
- The Right Attitudes: Insider threat plans often require employees to flex outside of traditional duties because most organizations cannot simply hire personnel immediately.
- Awareness and Training: This ensures organizational understanding and builds muscle memory to prevent ignoramus type threats
- Pre-hire and Third-party policies: A good plan includes screening personnel before they access organizational data and resources – including new hires, partners, and other third parties
- Communications: Who accesses, manages, coordinates, and takes action on this data?
- IT Security Basics: Without implementing Identity Access Management (IAM), data/file encryption, and intrusion detection/prevention technologies you won’t be able to safeguard data from any threats, so consider these tools mandatory.
I am breaking down the technologies into various categories that I call “enablers” and “insider threat specific” technologies. Enablers are cost efficient technologies that deliver insights without network installation and heavy IT lifts. Deciding on what data to use and how to use it is a key decision for each organization:
- Credit Data: It’s not just for banks anymore! Affordably priced and very informative, credit data stays ahead of potential financial challenges that could result in abnormal actions from employees – just ensure your organization is on board.
- Criminal Data: This is push data that provides near real-time reporting of employee’s arrests and other legal matters that can adversely affect performance.
- Other Regulated Data: This data is rarely used commercially and used only after suspicious activity is identified. If this sounds creepy or “big brother”, do you realize that this is how Facebook and other social media platforms send location-based ads along with selling this data to third-parties?
- Social Media Data: This data analyzes content from publicly available platforms such as Facebook, Instagram, LinkedIn, etc to provide insight into employee activity.
- Workplace Assurance Technologies: This technology integrates credit and criminal data within a legally compliant framework to ensure your insider threat plan and associated actions meet legal scrutiny.
- Artificial Intelligence (AI): It’s the hottest buzz words these days and for good reason. These technologies, including Clearspeed Verbal which is an AI-enabled technology that leverages validated voice analytics, provide a unique datapoint and more informed decision aid. For most AI-based solutions, you’re only as good as your data, so it’s critical to have a significant amount of data and a firm understanding of the type of data being used. Some solutions are created from AI and can be employed swiftly, whereas others provide an AI engine for organizations to learn from their own data – it’s important to understand the difference!
The common suite of insider threat specific technologies include:
- User-Behavioral Analytics (UBA): captures each user’s network activity (files, apps, web activity, printing, etc), baselines their activity, and alerts according to user-defined parameters.
- Data-Loss Prevention (DLP): focuses on network data and prevents users or intruders from stealing data
- Network Flow Analysis: monitors data traffic to determine information leaving the network
As you can see by the list above, there is no shortage of tools and data. Unfortunately, insider threats are somehow still making weekly headlines. While an insider threat plan with integrated technology can mitigate some types of insider threats, there are still significant blind spots that need to be understood:
- Simple Avoidance or Circumvention – Insider threat technologies are widely publicized and sophisticated insiders simply know how to avoid them. For instance, if an employer collects criminal data and employs UBA, employees who stay out of trouble and careful on the computer network will stay off the radar. If employees cannot, they are likely not an advanced or sophisticated insider threat.
- Self-reported Data – What’s accurate and what’s not? We all know how human nature works and people would rather not disclose information that could decrease their odds to get a job or clearance.
For hiring, some resume information can be verified including employment (date, position, company), degrees, certifications, etc and there is no shortage of services to assist organizations. However, some data cannot be verified due to the legal limitations of data previous employers can provide – including previous accomplishments in a role, disciplinary action (not part of a criminal report), the ability to work with others, and various other information that is important to a successful hire.
Self-reported information required for a security clearance is a lot more complicated. Criminal activity and previous addresses are straight forward, but finding information to debunk self-reported claims regarding substance abuse, foreign influence, and mental health can be very tricky. Unfortunately, if self-reported information can’t be proven wrong – it’s assumed accurate and clearances are granted.
- Foreign persons: There is limited information available on foreign persons because most countries do a poor job of documenting information making criminal, credit, and other data hard to come by. For US companies with local nationals or other country nationals on their payroll, making informed decisions is challenging and exposes organizations to unique risks such as IP theft and insurance fraud.
- Unique Exfiltration Capabilities: As technology advances, so do potential risks to employers. While most organizations have developed ways to thwart removable hard drives, mobile devices, and cloud drives on IT assets – sensitive data can still be at risk. Employees capturing data through memorization, cameras, or other unique methods are still a risk for most organizations
Insider threat programs are not currently mandated for commercial companies like they are for cleared government contractors. However, government resources on insider threat programs are open to the public and full of useful information:
- Executive Order 13587, Structural Reforms to Improve Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information
- National Industrial Security Program Operating Manual (NISPOM), DoD 5220.22-M Change 2 at paragraph 1-202
- Center for Development of Security Excellence (CDSE)
We have covered a lot for a short blog! If you take anything away it should be that risk will never be reduced to zero, and insider risk, the most dynamic form of risk to any organization, requires above all else a holistic, redundant, and sophisticated management and mitigation methodology of human-machine teaming that is built on trust. Success must start there – with an honest internal-assessment of weaknesses and gaps and then strong leadership committed to attacking the blind-spots but doing so with empathy in a manner that enables trust as a part of the security strategy. Trust enablement is fundamental in the trans-and post-COVID landscape because one thing we know for certain is that while the world changes in ever-increasing and unpredictable fashion, human nature does not…and the key to mitigating and preventing insider threats must start there.
I wish readers every success and welcome feedback, further insights, or thought-provoking conversations on insider threat prevention. If I can answer questions or explain how Clearspeed Verbal can support your insider threat objectives, please don’t hesitate to reach out! I can be reached at Kris.firstname.lastname@example.org.