The Future of Addressing Insider Threat
All data is from the IS Decisions’ research report User Security in 2015: The Future of Addressing Insider Threat, a study into the opinions and immediate plans of 500 IT decision makers in regard to tackling the insider threat.
It could be argued that we’ve reached a kind of tipping point for internal security over the last year. When we conducted research for The Insider Threat Manifesto a year ago, the findings generally told us that insider threats were a low priority security issue, in comparison to external threats like hackers or viruses.
But now, even if just a fraction of IT professionals follow through with their plans, we should see the majority have an insider threat programme in place within the year.
The lessons from recent high profile security breaches underline how IT professionals are looking to take a joined-up approach of better user education and technology solutions across the whole enterprise. Technology is available that helps secure access to company resources, protect from outside attacks, and protect users from their own careless behaviour.
We’re also seeing change in the way consumers view companies and their security policies. If the message is not being heard from IT professionals for more responsibility from the board, perhaps the message coming from consumers soon will be.
Looking further ahead, IT professionals know there is no silver bullet. The layered approach is more relevant than ever. Security is still, and will continue to be, built in layers to provide better protection, while there’s agreement that more needs to be done to create national and international standards.
If you are an IT professional implementing an insider threat program, make sure you implement the right technology and tools, with the right training and other cultural elements.
Here’s a 12-step guide to help ensure that it’s set for the future of internal security:
1. Educate users
This one is obvious, but the best place to start in combating insider threat is in educating your users better. More training, in more innovative engaging ways, as well as the right technology to grow awareness.
57% of Insider Threat Programs will include organization-wide security training.
2. Use technology
The majority of IT professionals will be spending more on security technology in the near future, with technology and tools being the most common element of any insider threat programme.
66% of Insider Threat Programs include software solutions (technology, data and tools).
3. Consider partners and supply chains
When we say ‘users’, we do not just mean immediate employees. Anyone who has access to your network has to be subject to the same process and restrictions, or there is little point in having them in place.
66% of I.T. Professionals believe organizations need more secure control over partners and supply chains.
4. Include a post employment process
This is the least common element of IT professional’s insider threat programmes, yet it is so important and so simple. Ensure that a process is in place that ensures ex-employees can no longer access the organisation’s systems or data as soon as they have ceased employment.
36% of employees have continued to have access to systems or data from an employer after they have left a job.
5. Consult external sources
We didn’t see a lot of consensus about which sources to consent on internal security, and presumably you do some of this already given you’re reading this report! Don’t just take our word though; analysts, media, organisations like CERT help you to gain an objective view of how to structure your insider threat programme.
6. Stay up to date
Don’t read up once and forget either. The technologies and thinking involved in combatting insider threat are evolving as quickly as the threat is itself, so it is imperative to stay informed. Your insider threat program can evolve along with what your learn too.
91% of organizations believe the I.T. Industry needs to work harder to collaborate and address insider threats.
7. Educate senior management
We know that in most organisations, senior management don’t pay enough attention to the issue of internal security. Make them a priority in user education and involve them in implementing and enforcing policy.
57% of I.T. Professionals believe their organizations senior management does not take enough responsibility for internal security.
8. Get C-level commitment and buy in
This commitment to enforcing policy must go to the top of an organization, in order that it be properly enforced from the top down. That means that the board must not only understand your insider threat program, they must be fully bought into it and involved in the process.
Currently the I.T. Department (80%) takes responsibility for insider threat in nearly twice as many organizations as the C Suite (43%) does.
9. Implement greater user access restrictions and control
On a tactical level, most IT professionals are expecting to be implementing greater user restrictions, and this is an element of tackling insider threat that has both practical and educational value. The more restrictions there are the smaller the surface of attack, but restrictions also serve as a constant reminder for users.
Applying stronger user restrictions is cited as the top result for how to address user security.
10. Generate user alerts
Another way of reminding users of policy is by implementing user alerts, particularly useful when triggered by any kinds of suspicious behavior so users learn to know what is and what isn’t good practice.
53% expect user alerts which are triggered by specific actions to be a key method for I.T. Professionals to grow awareness of security issues.
11. Take a multi-layered approach
Biometrics, two-factor-authentication, physical security keys; all of these security approaches have their strengths, but each is more powerful in conjunction with others. Do not consider new technology as a ‘replacement’ to old, instead if you’re considering new technologies, take the most effective multi-layered approach.
75% of I.T. Professionals believe that bio-metrics is not the safest way to confirm identity in order to access corporate data.
12. Be transparent, externally and internally
A good internal security policy is one that is transparent and properly communicated to all employees. But you should ensure that you communicate your approach to security externally too. As customers are increasingly going to be scrutinising companies on their security approach, it helps to be able to show them that you have the right attitude to keeping their data safe.
77% of I.T. Professionals think an organization’s perceived security impacts which businesses consumers choose to buy from.