Cyber threats come in various forms. A diverse threat actor landscape consisting of criminals, espionage actors, hacktivists, and more have demonstrated how successful they can be launching remote attacks. Gaining unauthorized access into networks, stealing sensitive intellectual property, financial, and personal identifiable information, and conducting defacements and denial-of-service attacks, are just some ways these hostile elements target organizations in both the public and private sectors.
One class of actor that often gets overlooked is the insider threat, largely because they represent a hybrid type of actor that capitalizes on his physical access to conduct malfeasance, often leveraging some cyber aspect in the fulfillment of his goals.
Insiders can both be witting and unwitting. The unwitting or careless insider is an individual with legitimate accesses but who through poor judgment commits a security infraction that results in potential consequences for his organization (e.g., think the insertion of a USB key into an organization's network).
The witting or malicious insider is an individual that makes the conscious decision to abuse his access in order to obtain sensitive and/or financial information for personal gain or purposeful malicious intent (e.g., an individual like Chelsea Manning orEdward Snowden fits this category).
A third type of insider is the remote actor or masquerading insider who has compromised legitimate credentials in order to gain access as a trusted individual on an organization's network. One thing that all of these three types have in common: once inside, perimeter security can do little to deter their actions.
Recent reports have discovered that insiders still constitute the biggest threat to most organizations.
- According to a 2015 PriceWaterhouseCoopers report, current employees were the biggest cause of security incidents surpassing hackers, contractors, and organized crime.
- According to a 2015 Vormetric report, 89 percent of global respondents (800 senior managers and IT professionals) believed that their companies were at risk from the insider threat.
- Negligent and malicious insiders constituted approximately 61 percent of security breaches, according to respondents (3,500 IT and IT security practitioners in eight countries) of a 2013 Ponemon Institute report.
One thing is certain: protecting, mitigating, and remediating against the insider threat is a complex and cross-functional matter. Technology alone cannot help mitigate the insider threat; human involvement is critical to helping identify and reduce the risk of this threat. For the purposes of this article, I would like to focus on the human aspects of mitigating the insider threat.
- More robust screening process for employees: Mitigating the potential insider threat starts at the hiring table, which is the first opportunity an organization has to review and evaluate prospective candidates. All prospective applicants should undergo an extensive interview process as well as a background check that includes contacting professional references to help identify potential "red flag" areas. Early alerting can allow an organization to engage in more specific discourse with the applicant providing more opportunity to better evaluate the individual.
- Limit/monitor employee access: Employees do not necessarily need authorized access to every network, database, and process. Organizations need to understand that by limiting access to only what employees need to fulfill their work responsibilities will ultimately reduce the chance of information spillover or leakage as a result of a security incident. While some organizations may balk at monitoring employees' activities on the network, it is a proactive way to provide early indications of potential malfeasance particularly if an employee is trying to access an area to which he doesn't have privileges.
- Employee education: Employees need frequent and updated security awareness training to inform them of the latest tactics, techniques, and procedures used by hostile actors to include spearphishing, spoofing, and social engineering. Training needs should be specialized so that employees understand not only the threat but how to better secure the information and accesses that they have. Instilling this sense that security is everyone's responsibility and not just the IT department is critical for individuals to be more vigilant in how to properly handle information. Considering that a recent survey byCoSoSys revealed that 35 percent of employees didn't believe data security was their responsibility shows that more needs to be done with ensuring that the work staff is kept current on security matters.
- Employee behavior: It may be difficult to identify anomalies in employee behavior without having set baselines of "normal" behavior for that individual. Absent having such baselines, there are some behaviors that may seem out of place or uncharacteristic that may solicit attention. Such activities such as (increased or first time) use of removable media, increased printing habits, working outside normal customary work times, or increased remote log-ins can be the types of indicators that warrant closer inspection.
Sign up for CIO Asia eNewsletters.