View original article published on Forbes here.
In September, I published, “The Threat Within: Understanding and Driving Effective Threat Programs” to help leaders understand the importance of managing information security insider threat risks. I discussed the nuances that drive the need for insider threat programs to be highly cross-functional and built around business. This article will get into the key ingredients to building and maintaining a successful program.
According to a recent report from Forrester Research (via Digital Guardian), “Analysts there predict insider data breaches will increase 8% in 2021 and that a third (33%) of all incidents will be caused internally. That number is up from its estimated figure of 25% of all incidents this year.” The report goes on to recommend that, “As firms add capabilities for detecting insider threats, they will also be able to identify and attribute more incidents to insider activity than they were previously. Give specific focus to insider threat defense, emphasize employee experience to avoid turning employees into malicious insiders, and remember that trust is not a control.”
The August 2020 example of Tesla’s insider threat near-miss reminds us that our workforce’s understanding of these threats is a critical component of success. According to the filing by the prosecution, “The purpose of the conspiracy was to recruit an employee of a company to surreptitiously transmit malware provided by the coconspirators into the company’s computer system, exfiltrate data from the company’s network, and threaten to disclose the data online unless the company paid the coconspirators’ ransom demand.”
These types of attackers will go to significant lengths to get to the right insiders, accounts or credentials to enable them to accomplish their ill-intentioned objectives. Things ended well for Tesla, but the story rarely ends so pleasantly. The September Shopify insider threat example included “actions of rogue employees” inappropriately accessing customer transaction details.
Given that wishful thinking is not a strategy for managing risk, here is a strategic recipe with five key ingredients to address insider cyberthreats:
1. Stakeholder Analysis/Management
Who are the influential leaders in your company that would potentially support this initiative? These leaders could come in the form of providing leadership, sponsorship or decision-making, or they could be ambassadors or advocates for your efforts. Think cross-functionally across HR, IT, info security, physical security, compliance and all senior leaders.
Insider threat programs, by nature, are human-centric, regardless of whatever technology that may support the efforts. Mapping the various forms of stakeholders and spans of influence can be a very productive exercise. From there, you want to build an appropriate cross-functional team and sponsorship.
2. Business Risk Analysis
I recommend starting with business risk and then getting into people and technology risks. Surfacing your top business risks from an insider threat standpoint should not be a technology-focused conversation. You need to engage with key stakeholders across all functions of the company to understand what information, information assets, business processes and third parties matter most to each area.
I have conducted numerous workshops to help companies map out their business risks specific to insider-threat and broader cyber risk. While there is an art to this type of facilitation, the key is to find out what functional business leaders are most concerned about that would disrupt their business.
Gerry Owens, a financial sector cybersecurity leader, recently spoke at the People in Cyber conference in Canada about business risk analysis, stakeholder engagement, and being careful not to make insider threat and privileged access management programs strictly a technology initiative.
3. Capability Gap Assessment And Road map
Before starting from scratch, take inventory of what elements your company may already have in place. Many companies attempt to reinvent the proverbial wheel versus taking inventory of existing programs and capabilities to contribute to their insider threat program.
Capability mapping can help. Examples of typical reusable nuggets would be:
• Human resources: Job models, HR policies and codes of conduct.
• Corporate security: Policies, background checks, at-risk employees, monitoring and enforcement.
• Cybersecurity: Monitoring and detection, data classification, data loss prevention, and privileged access management.
• Business units: Business process definitions, data flow mappings and data stewards.
• Operational risk: Corporate policies and enterprise risk management.
4. Insider Threat Persona Analysis
Persona analysis can help an insider threat program segment their workforce by types of roles, departments, risks, profiles, etc. This type of segmentation to create personas is necessary to think about workforce-focused interventions more holistically.
Once you have your personas, you can focus on people, process and technology solutions such as:
• High-risk processes/transactions.
• Identity security (managing privileged access and avoiding toxic combinations of privileges).
• Specific education, job expectations and other human risk reduction efforts.
• Notification of extra monitoring based upon risk to the role (impact from privacy laws that impact insider threat activities).
5. Demonstrate Your Risk Reduction
Execute your program using an agile approach and iterative learning cycles and continuous improvements. I do not believe it is possible or fruitful to build out an insider threat program in one big effort. Insider threat risks adapt as quickly as your business does, so insider threat should not be a “project” or “program” with a beginning and end.
Some key tips and tricks I have picked up over the years include:
• Do not make the program impractical for the organization to consume. Be aggressive but realistic.
• Continuously identify and refine high-risk business processes and critical high-risk privileged access sources.
• Use KPIs and KRIs (KPIs help to establish the program and milestones; KRIs measure risk reduction over time).
In a recent article aimed at predicting 2021 cybersecurity trends, David Higgins outlines how the pandemic has created tremendous pressure on employees and their families, signaling a continued rise in insider threat events.” In summary, if you use these five strategic recipe “ingredients” to help you formulate your company’s approach to managing insider threats, you will have the best shot at managing your company’s insider threat risks.
At Reveal Risk, we evaluate, design and deliver strong processes and results in cyber, privacy, risk that work efficiently, are fit-for-purpose, and are sustained. If you find that you want assistance in building your company’s cyber security strategy, governance, and plan towards desired state maturity, please don’t hesitate to connect with us at firstname.lastname@example.org.
About the Author
Aaron Pritz is senior IT/Security/Privacy/Risk leader with over 20 years of experience including at a large pharmaceutical company in the Midwest. Aaron co-founded Reveal Risk in 2018 after seeing significant corporate leadership and “execution of strategy-to-operations” capability gaps in the cyber security and privacy consulting industry. Aaron is a creative thinking strategist that brings strategies to life through engaging approaches and teamwork. He is an active industry influencer and speaker on the topics of business-driven risk management, insider theft, and cyber security in healthcare, and is no stranger to helping companies progress both before and after incidents/breaches (ideally the former!).