Last week IS Decisions participated in the SPIN Insider Threat Conference in London joining participants from academia, government and industry to discuss the threat from within. Speakers at the workshop included security experts from CERT, PA Consulting Group (HoMER Publication), Oxford e-Research Centre & the US Secret Service.
In a series of 3 posts we will highlight the expertise offered during this workshop and share how organizations can better manage the insider threat.
This first post examines the need for an organization to build an insider threat program.
Following posts will share discussions on the proactive steps in mitigating the insider threat and how an organization can bring together both threat and risk management.
How Digital changes the Insider Threat
From Brutus to Snowden, the Insider Threat is not new. The Internet however changes the game, bringing extra complications.
- Physical proximity to target is no longer required
- Collect and conceal vast amounts of stolen data so easily.
- Data access is difficult to control
- Malicious behavior on IT systems is easily concealed
Today’s world offers many diverse opportunities for the insider threat
Walking off with company secrets used to be limited to how much paper you could hide in your bag. In 1997 Gillette lost 600MB of data to competitors on USB stick. Theft of intellectual property was becoming so much easier with technology.
Fast forward to the age of cloud computing and electronically stored information is no longer stored exclusively on physical drives. A host of solutions provide cloud storage services for your organization. In one case employees allegedly stole, edited and then synced corrupted documents on resigning from an organization. Syncing the corrupted data with the good means this company will potentially make bad decisions on this data as well as losing intellectual property from the stolen documents and potentially suffer from reputation damage.
In today’s world all the critical services that our society relies on for its everyday functioning are now dependent on computers. Sabotage to such an organizations system is seen as potentially vulnerable to security attacks, especially from employees turning malicious on learning that their contract/job is not being renewed.
For example there are only 5 or 6 SCADA systems (supervisory control and data acquisitions) used throughout the world. They provide the control of remote equipment to decentralized facilities such as power, oil, gas, water and sewage systems.
The risk from a disgruntled insider to these systems, is a risk that needs managing.
Is your Supply Chain also your Risk Chain?
The Target Breach was an example of fraud but reputation is sometimes the biggest cost for an organization.
Loss of reputation is something that sometimes can never be recovered from. Target’s lost sales are compounded with pending criminal and civil suits but the largest potential cost is the risk to Target’s reputation.
How Target can manage its reputation will ultimately decide the final cost of the event.
The breach itself stemmed from the actions of an unintentional insider threat, an employee within its trusted ‘extended enterprise’. Today, much government and industry work is outsourced but these employees are treated the same as the organizations own employees when it comes to privileged access to systems.
Are we sure our trusted partners have an insider threat program from pre-recruitment through to termination?
When any IT operation of an organisation is contracted out, the external service provider (or the outsourcing vendor) may effectively become an “insider”, handling sensitive and important information for the company. While the services provided by an outsourcing vendor may be beneficial and cost-effective, proper security management processes and procedures must be in place to protect sensitive data and customer privacy in outsourced IT projects or service. Data owners need to monitor and review all access rights granted to outsourcing vendors so as to protect key data at all times.
The bottom line is an organisation can outsource its operations, but not its responsibilities.
The Unreported Insider Threat
Insider cases are numerous and spin all industries. It’s said that 3 out of 4 cases are unreported! As you can see reputation is perhaps the biggest risk of all. Organizations don’t want to tell or don’t even know.
This shouldn’t however be about the business of fear.
It calls for a Risk Management approach. Understand the risk and balance it. This however, requires top level strategic oversight for any enterprise. Risk Management is and must be, a problem for the board.
Are the board always considered when an organization attempts to manage these risks?
From our own research involving 500 IT decision makers, the insider threat is not a top security priority, even for IT professionals. This however could be changing.
The belief is that the Target Breach could well be a turning point. The breach resulted in the first CEO to lose their job because of an insider security breach and possibly five other directors to follow. This is significant.
Every board should now be thinking this is not going to happen to me. we need to address this problem. The latest news however suggests that the retailer’s chief executive and board may not get a complete picture on the company’s security, if the CISO does not report directly to them.
Proactive Steps to Mitigate the Risk
Today’s reality is there are proactive steps to mitigate the risk. But organizations and individuals are guilty of not having the time, so end up creating bigger gaps.
One typical example is when employees who have left the organization still have access to the network.
The thinking suggests if your organization is not doing the basics – forget about any more complex behavior analysis to alert high risks or any big data tools.
Building an Insider Threat Program
Building an Insider Threat Program moves an organization from paranoia to protection.
Not only is this a sensible thing to do but a US Mandate means organizations must develop an Insider Threat Program if dealing with a federal government. It also applies to worldwide companies that are dealing with the US government.
To help the CERT Insider Threat Centre has been serving as a trusted broker to assist the community in the short term and through ongoing research since 2001. The foundation of their work is a database of more than 1000 insider threat cases, government records and information from criminals themselves, which helps characterize the nature of the insider threat problem and offers dynamic indicators of insider threat risk. They also identify and experiment with administrative and technical controls for insider threat mitigation.
The CERT Insider Threat Program helps organizations consider or start making themselves more secure and more immune to reputation and financial damage.
In the UK, The CPNI (Centre for the Protection of National Infrastructure) and PA Consulting published new guidance (HoMER) to help organizations reduce employee risk.
HoMER (Holistic Management of Employee Risk) offers a range of practical measures to help organizations reduce the risk from their employees. The risk ranges from oversight such as sharing passwords to opportunistic behavior including theft and fraud.
Moving from paranoia to protection
Moving from paranoia to protection means involving a sophisticated tool set, staff and manager’s awareness and an efficient process.
At IS Decisions, our solution UserLock is a unique and proven technology tool that helps organizations mitigate the risk of insider threat by securing users access to the shared Windows network. Whether we’re dealing with careless or malicious activity both involve authenticated users who have access and rights. Organizations are recognizing the need to better manage and secure network access for authenticated users to reduce the risk of security breaches.
FileAudit helps organizations proactively track, alert and report on all access (and access attempts) to files and folders. It helps protect an organizations most sensitive information stored on Windows Servers.
Our next post will share more on the proactive steps an organization can take in mitigating the insider threat.
