I’ve asked gov tech executives that question for more than a decade, and answers have been all over the map. But lately, there is often a greater fear of insider threats.
The reasons vary. Nevertheless, security teams often feel more confident in their ability to stop external hackers than they do at detecting and responding to internal network anomalies or addressing the online (and related offline) actions of their own staff.
In January, William Evanina, director of the National Counterintelligence and Security Center, told a gathering of cybersecurity professionals that insider threats posed the greatest risk for Americans. “We had a horrible year last year ...” he said, “with indictments, arrests, convictions of clearance-holders as well as arrests, indictments, convictions of nontraditional collectors in the private sector — theft of intellectual property and trade secrets. It was not a good year for industry or the government.”
Insider threat impacts can include theft or loss of mission-critical data, downtime of organizational productivity, damage to equipment and other assets, cost to detect and remediate systems and core business processes, and legal and regulatory impact, including litigation defense cost and lost confidence and trust among key stakeholders.
Meanwhile, the overall financial costs of insider threats keep skyrocketing.
The Ponemon Institute announced this year that the global average cost of an insider threat is $11.45 million. Also, the frequency of insider incidents has tripled since 2016 from one to 3.2 per organization, and the 204 large organizations (with a staff over 1,000) surveyed experienced a total of 4,716 insider incidents over the past year.
So what can be done? Here are five steps to help:
1. Do your homework — again. Examine the latest insider threat reports on current cyberthreat trends. Relearn the latest categories of insider threats like malicious insiders, employee and contractor negligence, and imposter risk (credential theft). Study your current policies, procedures and controls in place to mitigate these risks on issues ranging from background checks to access controls. Are they truly working? For example, check to see if security logs and alerts are processed or ignored.
2. Know where your data is. A good understanding of your data “crown jewels” is essential. Is sensitive data stored on mobile devices or desktop PCs? Or is it truly contained within protected mission-critical databases?
3. Refresh data access control lists. Who has access to this sensitive data? Again, recheck separation of duties and privileged account lists to ensure that they are updated for entering and exiting employees. Ensure that staff who have changed roles have unneeded access removed.
4. Consider the new generation of monitoring tools. Are your data loss prevention tools working? Is data leaking into the cloud via social media or personal email accounts? Have you considered a cloud access security broker? Keep in mind that privileged access management is the second-most underused tool and activity used to reduce insider threats.
5. Enable the “good guys” by training staff. Everyone wants to find the bad apples in your organization. But paradoxically, one way to do that is to spend more time training and communicating with the good apples. Provide security awareness training and show staff what to watch out for. Think about people, process and technology risks. Security and technology teams cannot be everywhere, but if most staff are well-trained and know what to do, they will find and report bad apples (and phish).
In 2004, when I was Michigan’s CISO, we ran our first penetration tests from both inside and outside our state computer network. While the outside tests found serious Web vulnerabilities, the tests run inside, with the same account privileges as a student intern, succeeded in getting (unauthorized) access to the crown jewels. Ignoring insider threats is a mistake.