According to a report released in 2020 by the Poneman Institute, “the number of insider-caused cybersecurity incidents increased by a whopping 47% since 2018” . Insiders are trusted individuals that work for an entity and as a result are privy to systems and information that is not available to the public. Proprietary information within a company or government agency often has great economic value, and if this key information is altered, destroyed, stolen, or exposed to unauthorized individuals it can be very damaging. Insider threats come in at least two varieties: the negligent insider who ignorantly or negligently places company information at risk due to lax information protection practices or the malicious insider who seeks self-serving objectives, lacks loyalty to their employer, and intends to cause harm.
Examples of negligent insiders include employees that click on suspicious phishy emails, system administrators that do not patch their systems regularly, and employees that plug-in “free” USB storage devices obtained at conferences into their computers. A couple of intentional insiders recently in the news include Anthony Levandowski and Mittesh Das. In the Summer of 2020, Anthony Levandowksi plead guilty to trade secret theft for downloading thousands of sensitive files to his personal laptop from Google’s self-driving car program just prior to taking a job at Uber . In another shocking case, Mittesh Das, a contractor supporting the Army was found to have placed a logic bomb to cause disruption within a payroll computer system after learning that the services that his company provided would no longer be needed .
Detecting and mitigating insider threats is tricky, and as a result it is important to bring the best minds from various functional areas together to create a solid insider threat program. The team should at least include individuals from IT, Cyber, Legal, and HR that are well informed about the business (strengths/weaknesses), risks (technical, legal, reputational), and infrastructure (systems, organizational structure). Once you have the right people identified, it is recommended that you work with the team to setup a comprehensive insider threat program that is based on the following pillars: system inventory, information categories, protection, monitoring, remediation, and communication while incorporating the people, processes, and tools within the enterprise.
A comprehensive insider threat program should begin by taking inventory of the systems and data within the enterprise that are of value. The adage, “you cannot protect what you don’t know you have” is key and holds true here. Ideally, incorporate a software system and corresponding processes to track your systems and key data sources so that you can keep track of changes as they inevitably occur within your dynamic business and have an inventory that is always up to date. Once you identify what you have, it is important to categorize your data into a taxonomy that identifies the types of information, the corresponding value of each category of data, and where applicable, legal requirements that need to be met (e.g. personal health information, financial information, & personally identifiable information). Once you have categorized the information, it is time to create a strategy for protecting, monitoring, and remediating information compromises within your business.
Your strategy should be based on compliance with legal and regulatory requirements, your risk tolerance, and a deliberate determination of the resources that you are willing to expend to protect each information category. Be aware that there are a lot of resources to help you as you strive to defend your information, including information security frameworks such as ISO/IEC 27001 or NIST SP 800-53 , and other resources such as training and/or tools from entities such as Carnegie Mellon’s Software Engineering Institute or the National Insider Threat Task Force to name just a couple. Finally, take time to communicate effectively with the employees within the entity by providing sufficient and on-going training on information protection best practices, informing the staff of how to identify and mitigate risks that are common to your industry, and institutionalizing specific processes and best practices (e.g. principles of least privilege and/or defense-in-depth) that are to be followed in order for the information to be protected while enabling the business to be successful.
It is important to see the creation of an insider threat program not as a discrete event, but as an on-going cost of doing business in the digital age. Resources need to be committed on an annual basis to ensure that the business is adequately adjusting to new regulatory requirements, corporate infrastructure changes, business growth in new industries, maturing best practices, and the ever-changing threat landscape. Under the leadership of a cross-functional insider threat team that is built on the pillars of a solid insider threat program, the future is bright!
[1] https://www.observeit.com/cost-of-insider-threats/
[2] https://www.justice.gov/usao-ndca/pr/former-uber-executive-sentenced-18-months-jail-trade-secret-theft-google
[3] https://www.justice.gov/usao-ednc/pr/georgia-man-sentenced-compromising-us-army-computer-program
[4] https://www.iso.org/isoiec-27001-information-security.html
[5] https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
[6] https://www.sei.cmu.edu/our-work/insider-threat/
[7] https://www.dni.gov/index.php/ncsc-how-we-work/ncsc-nittf
#SecurityProfessionals#Security#InformationGovernanceorCompliance#Firm