To protect against insider threats, focus on people, process and technology

When it comes to protecting against the insider threat, too often overlooked (often critically) is how people and process should be set up to mitigate the risk from employee behavior. Such behavior that often causes or aides security breaches.

The notion that IT security is a combination of people, process and technology is nothing new. The triangle is typically invoked to claim there is more to consider than just a tool — it’s not just the tool (the technology), but it is the process of implementing it, and the people involved.

Despite arguments to rebalance this "golden triangle" the pragmatic view still points to the validity of this statement.

The traditional security approach to people and process

The traditional approach is to have a written security policy that new starters in the organisation get given and that sits on the company intranet. That is the basic level, yet IS Decisions research found that only 29% of IT professionals even have this in place for staff to adhere to.

However, even when security awareness training is complete, it often misses the "why." It's important for the whole team to understand the reason these policies are in place.

Why this is proving dangerous in a world of constantly increasing security threats

Even if you do have the basic written security policy, it is one thing having it there and available, but quite another getting employees to take any heed. Your employees are a huge security threat.

Any data leak from your organisation is far more likely to come from an ignorant or careless user who is easily convinced to share their password or a victim of social engineering than it is through a complex system hack.

Investments in technology and solutions are wasted if people and process are not seriously considered

The reality is that both organizations and individuals are still guilty of not doing the basics to mitigate the risk. One typical example from our research is at least one in three employees who leave an organization still have access to the network after termination. If people and processes aren’t doing the basics, you can forget about spending time and money on more complex technology.

Security has to be a balance of technology and organizational culture. Fortunately technology can be used to address culture by helping to educate users and encourage good behavior. An example of this would be reminding users of policy at opportune times, like when they are accessing the network outside of normal working hours.

Technology in isolation is not a silver bullet, but it can be used to address process and people’s behavior, knowledge and attitudes.

How should people and process be set up to protect against the security breaches of today?

There is benefit to adopting a zero trust policy. Especially when your users are poorly educated and bad behavior like password sharing is common. If you set up restrictions on network access that force users to act within the limits of your security policy that should come with education on why those restrictions are in place. Once users understand not only what the restrictions are, but why, they will be more empowered to follow them of their own volition.

This type of informed employee is an important line of defence. With time an informed user can then help protect the corporate resources that are entrusted to them. An example of this would be notifications that alert the user themselves on when their own network credentials are being used.

With stolen or compromised account credentials responsible for several massive data breaches, who better than an informed employee to judge whether an access attempt is normal or part of a compromised attack?

How should a CSO fit into an organisation? Should they have a place on the board alongside the CIO?

Whether the CSO sites on the board with the CIO or not the important thing is that security is a priority from the very top of an organization down. The CIO and even the CEO should see security as part of their responsibility. We have seen recent examples such as the SEC lawsuit against SolarWinds CISO and the company, which should serve as a red flag for all C-level executives that the responsibility for security does not stop at the door of the CSO or even CIO.

Help in training employees on better user behavior

A written policy for staff to adhere to, which a surprising amount or organisations won’t already have, is the first step. Explaining why you have a policy in place and be transparent about the risks it addresses will help staff understand its value and importance. But your policy must be evolving just as technology is evolving, and you need to evolve your users’ education too.

Technology can help you remind users of policy, update them on why it exists and why it may be changing.

How a CIO/CSO can ensure a security education program is effective across an entire organisation

CIOs can educate users on the security policy by working closely with other departments. HR in particular are well placed to identify potential internal threats as they are most likely to be aware of potential disgruntled employees, can keep better track of new starters and employee terminations. They are at the heart of the employee structure.

In terms of technology, CIOs have the power to effectively mitigate threats and reduce the attack surface of an Information System by setting a network on a ‘need-to-know’ and ‘need-to-use’ basis. This will ensure each user within a company only has access to pre-authorized material.