Your people are your best line of defence against insider threat

An insider threat is difficult to detect and prevent, because insiders
have the credentials or permissions to access the data or systems so will not
flag within traditional defences. It is critical to understand the different
types of insider threat, broadly we look at them in two categories:     

Malicious Insider – Someone that abuses legitimate credentials for personal gain or objectives, e.g. financial reasons. These can be third party users with remote access, disgruntled employees, or any person with credentials or access to an organisation’s internal systems and that has an intent to do harm.    

Non-Malicious Insider – A person with no malicious intent but unintentionally puts an organisation’s data and systems at risk. These threats can come in the form of a phishing campaign, compromised credentials, failure to implement or follow security protocols based on industry best practice. Failure to follow security protocols, intentionally or inadvertently, can stem from a lack of control knowledge and because some controls may introduce additional steps, it is not uncommon to see these controls bypassed in an effort to reduce friction in certain processes. Sometimes it is just easier to ignore the rules for efficiency’s sake.

Where have we seen the Non-Malicious Insider Threat before?

Organisations invest significant amounts in implementing Identity Access Management (IAM) to ensure the right people, have the right access to the right roles at the right time. When minimum access requirements are maintained using the Principle of Least Privileged, organisations can limit the damage of potential exploits. 

However, without adequate considerations of the human implications, this action can unintentionally introduce additional risk.  

Let’s look at recertification as an example. Managers are periodically required to recertify the access of their teams. On a small scale this is a manageable task, but as the team numbers increase – managers can quickly discover workarounds. Sometimes the pressure of getting a job done takes precedence over a seemingly obscure security policy if the organisation is not proactive in training staff. Without security backgrounds or sufficient education, most managers will not understand the implications of these workarounds. Further, if the accuracy of recertification is not measured, the behaviour is not reinforced as a critical piece of work.

As a result, the recertification tool doesn’t mitigate the risk it was implemented to address, rather it introduces additional risks by driving workaround behaviours ‘underground’. The behaviours and ways of working are not effectively integrated with the recertification tool. 

Considerations going forward

The insider threat challenge is not a purely technical one, rather it is a people-centric problem that requires a holistic solution that encompasses layers of defence including polices, business processes, security education and awareness, and technology infrastructure. Organisations should avoid the common pitfall of focusing on a technical solution as the silver bullet.

• Cybersecurity is everyone’s responsibility. Build a strong cybersecurity culture. Understand the current security state and define cultural values and desired behaviours. Communicate the reasoning for and importance of security controls.
• Develop your talent. In addition to appropriate technical controls, train the workforce to recognise specific insider-threat risks, challenges, and responsibilities related to each position. Staff must understand the implications of bypassing controls, technical or otherwise implemented to prevent malicious activity.
• Leadership behaviours. Cybersecurity leaders need to take a stronger and more strategic leadership role and act as role models of cyber responsible behaviours.
• What gets measured, gets done. Build cybersecurity KPIs into performance metrics. Complete regular security audits on the accuracy of  recertification campaigns. Provide information on how staff can improve accuracy.
• Implement appropriate mitigations to handle insider threat. Integrate cybersecurity controls into the ways of working and the organisational culture. Implement appropriate technical controls e.g. segregated data recovery solutions / incident response / forensic capabilities, to respond to successful insider incidents.

Conclusion

Cybersecurity threats are constantly evolving. While it may not be realistic to interrupt every potential insider attack before damage is inflicted, it is prudent to build a cybersecurity culture and effectively integrate changes into ways of working. Organisations need to move away from static, annual training, towards supporting fluid learning and constant cyber capability development. By integrating the human focus into cyber transformation and cyber activities, organisations can effectively address non-malicious insider threats.

We offer a range of cyber transformation services that are tailored to your organisation's cyber maturity objectives. Please reach out to the team below to learn more.