A Ponemon survey published in May 2016 reported that 55% of the 601 individual companies polled said their organization had a security incident or data breach due to a malicious or negligent employee. This should not be a surprise to anyone. Employees have historically been the biggest risk to an organization. Employees have knowledge, opportunity, access and time to their favor. The survey further states that the number one security risk is employee carelessness.
No company wants to admit it has careless or untrustworthy employees. All employees at a minimum undergo security training during new hire orientation, sign acceptable use agreements, take ethics training and are subject to role-based access controls in the performance of their job responsibilities. So why are insider security threats still a problem?
Insider security threats can be mitigated through a combination of methods. Any one of these can prove to be the weakest link if not properly implemented and kept current. Let's take a closer look at each.
Separation of duties
Separation of duties is the practice of dividing steps in a function among different individuals to reduce the risk of a single individual from being able to subvert a process. This assumes the function can be divided into separate steps between individuals. Unfortunately, small to medium-sized companies are challenged with an insufficient number of individuals, so one person may be required to wear several functional hats.
Typically, preventive controls are most effective to allow access based on the principle of least privilege. This means individuals are granted access based on their need to know and job responsibilities. But if preventive controls cannot be deployed due to inherent limitations of the function, system, or application in question, then detective controls need to be deployed to mitigate this risk.
Detective controls include monitoring activities by an individual other than the one performing a function. For example, this can be a manager with oversight responsibilities, but it is critical that such monitoring needs to be consistent and void of any influence that would make it ineffective.
Security monitoring is done with monitoring systems or processes that continuously oversee operational, system, network, database or application activities. These activities include access, creation, deletion and data modification. But this monitoring is only as good as the audit trails captured. If logging is not properly captured and the log repository is not highly restricted from alteration, then the integrity of the audit trail and security monitoring come into question.
The audit trail needs to include the complete flow of the activity. All devices need to synchronize with common external atomic time servers to ensure bonafide user activity.
Access violations and event anomalies need to be monitored and followed up on based on the enterprise vulnerability management practices. This allows for proper forensics in the event that further research is required due to suspicious employee activity.
Access requirements change over time. An employee is transferred, terminated, promoted or their job responsibilities change due to operational changes. Without proper security administration, a common error is to provide the new access but ignore existing access that is no longer needed. A good practice is to periodically -- at least quarterly -- certify that access is current. Managers with direct report responsibilities can accomplish this by generating access reports for personnel and other inside users.
Training and awareness
The Ponemon survey listed two primary reasons for insider security threats. One is the current state of employee security awareness and the second is that employee training programs fall short in depth and breadth of content to drive behavioral changes that would reduce insider risk. Clearly, training is crucial to keep cybersecurity risk front of mind; it is both a standard and a deterrent. But if the quality of training and security awareness is wanting, employee carelessness, errors and omissions -- including fraud and malicious activity -- is inevitable.
Insider threats expert Randy Trzeciak explains why non-malicious insiders, particularly developers, pose as much risk to an enterprise as intentionally malicious insiders.
The survey further stated that after a data breach, 70% found the insider threat was due to lack of in-house expertise, and 55% also thought it was due to a lack of leadership and ownership to address this risk. It also stated 60% of companies polled do not require employees to retake security training courses following a data breach.
Employees lacking in-house expertise may be due to an insufficient training budget, not requiring formalized cybersecurity training or lack of cybersecurity certifications. This means that management needs to invest in their employees focusing on quality of cybersecurity service, maintenance and focus.
Cybersecurity insurance is the transfer of risk in the event of system disruptions. This should include the bonding of employees covering errors, carelessness or fraud. Much like insuring an automobile, insurance is purchased with every expectation of never having to use it, but is there when it's needed.
Backup and recovery is critical to manage insider security threats. One typically thinks of recovery for possible disasters, major outages or system malfunctions. But recovery is just as important against insider malicious activity. A company needs to quickly recover and continue doing business as usual if insider activity adversely affects system availability and normal processing. The incident response plan and periodic test should include scenarios that cover insider security threats.
Company culture is the manner in which it views cybersecurity. The tone from the top should be ever present and communicated to all personnel. If cybersecurity is viewed as not important or a burden, this will reflect the same internally throughout the entire company. Cybersecurity should be embedded into the company culture as part of doing business. This awareness goes a long way in sending the right message that integrity, confidentiality and security of corporate data is important and should not be taken lightly. That in itself is a deterrent for employee unauthorized activity.
Insider threat indicators
The CISO should look for insider security threat indicators that include employees who are disgruntled, on strike, threatened by disciplinary action or dismissal, addicted to alcohol or drugs, have a gambling problem, experiencing financial problems, experiencing emotional problems, possible hacktivist, antisocial, no accountability for work performed, unsupervised functions, or have just been notified of their termination. There may be other indicators and, admittedly, they are difficult to trace but warrant close observation nonetheless.
Cybersecurity can be summarized in four control elements: policy, technical, monitoring and deployment. Cybersecurity policies need to be current, comprehensive and made available to all employees. They need to know the ground rules and be properly trained on how and why information protection is critical in performing their job responsibilities. A company can implement technical access control and authentication solutions, but they are only effective if they are used and managed by skilled cybersecurity professionals. Monitoring is only as good as the audit trail, reporting and vulnerability management systems. Deployment of technical tools and services, security administration, RBAC, defense in depth and proper network segmentation increases the ability to limit the level of internal access to authorized individuals.
Insider security threats will always exist. Some people may frown on this threat and argue for the importance of trusting employees, but cybersecurity is not a matter of trust. Trust is never an issue. The issue is prudent controls and access granted commensurate with risks and what is needed to perform job responsibilities. This goes a long way in mitigating insider threat.
Learn more about the security threats of negligent insiders
Discover four ways to prevent accidental insider threats
Find out if internal threats can be distinguished from outside attackers