The Insider Threat

A layered approach can help mitigate the risks

Each new study that is released further confirms that the malicious insider continues to pose a major threat to organizations in both the public and the private sectors.

While many of us tend to reflexively think of this insider as a disgruntled IT worker who knows how to access and change system data, the reality is that the insider can act in a variety of ways by a variety of methods to harm the organization, and he or she could be anyone. It is true that cyber attacks are a popular way for insiders to commit crimes, simply because so much business in the public and private sectors is done electronically, and because even non-technical employees - particularly in the younger generations - are more technologically savvy than they have been in the past. But focusing protection efforts on cyber controls alone is a mistake.

The threat is the individual, not the method of attack. By developing mitigation plans that include cultural shifts, training, process and policy measures rather than targeted technology alone, security professionals will have the best chance of saving their organizations from the cost and reputational damage that result from insider incidents.

The Complexities of Insider Risk

Recent reports including the Verizon/U.S. Secret Service 2010 Data Breach Report and the 2010 Cybersecurity (e-crime) Watch Survey (conducted by CSO, the U.S. Secret Service, CERT and Deloitte's Center for Security & Privacy Solutions) agree that outsiders still perpetrate the most cyber attacks and data breaches. However, the e-crime Survey and Ponemon Institute's Cost of Cyber Crime Study 2010 find that insider incidents are often more costly than external breaches. This is likely because malicious insiders are more likely than hackers or even organized groups to know what information to target and how it can be obtained.

This causes a priority problem within many organizations, says Dr. Mike Gelles, a Director with Deloitte Consulting LLP. "Many companies and public organizations think of the insider threat as a very high-impact, very low-frequency issue. While they never want it to happen on their watch, the likelihood of it happening is not going to be that high. So managing this threat doesn't always become a high priority, which is fascinating, because the impact is so tremendous in the marketplace and the public sector."

In other cases, security professionals and business leaders may recognize the importance of protecting against the threat but feel somewhat powerless to do so. The insider threat poses a difficult challenge for a number of reasons. Among them:

- Insiders do not have to infiltrate perimeter defenses on the network or in the facility.
- They tend to plan their actions in advance and carefully cover their tracks.
- They often use appropriate and approved access to systems and areas to commit their crimes.
- They often have no criminal background.
- They may have a variety of targets within the organization and they may act based on a wide range of motivations.

Who Is the Insider Threat?

Malicious insiders may use a variety of methods to cause damage - network or manual sabotage, espionage, fraud, embezzlement, misuse of information or theft of intellectual property carried out by electronic means or on paper. They may act alone or with the support of an outside party such as an organized cyber crime group or a state-sponsored entity. The malicious insider can come from any function in the organization, and from any level - from third-party contractor to staff to executive. Some of them join specific companies with the intent to harm, while others - some studies say most - begin to contemplate such actions after experiencing a catalyst during their employment. They may want to hurt the company for revenge, or as a strategy for advancement, or they may simply be looking for a way to skim off some cash. Because these possibilities are so varied, it is nearly impossible to use method, skill set, function, job title or even motivation to effectively screen for risk potential.

This content continues onto the next page...