In the crucible of cybersecurity work, many lessons have bubbled their troubled way to the top in the last few years, forcing awareness and action. Today’s lesson is insider threats. As general awareness of the scope and source of cyber threats becomes more widespread, we realize it’s not always the mysterious foreign black hat that should worry us most. It’s a tale as old as time itself: the mole, the snake, the gullible stooge—the threats inside your walls can be even more damaging than the enemy at the ramparts. The more we understand about how cyber-attacks originate and propagate, the more we are shifting our focus to insider threats, both malicious and accidental.
While estimates vary, an Information Security Forum analysis of the 2015 Verizon Data Breach Investigation Report has found that up to 54 percent of incidents reported in 2014 were a direct result of insider behavior. IBM agrees: their 2015 Cyber Security Intelligence Index claims 32 percent of data breaches are caused by malicious insiders, with another 24 percent being attributed to insider error or failure to follow policy. In an extensive 2015 survey focused on insider threats, the SANS Institute found a significant increase in concern and investment around addressing insider risk, but also an alarming lack of certainty and specific strategy. Leaders who ignore or encourage inappropriate insider behavior should expect financial, reputational or legal consequences.
Numerous factors are increasing organizations’ exposure to threats posed by insiders, and technical controls are limited. As enterprises grow their digital business, they realize that employee access to digital resources magnifies the damage an individual can do, and how covertly they can do it. To combat these threats, organizations must invest in a deeper understanding of trust, working strategically to assess and improve the trustworthiness of insiders.
Most research on the insider threat focuses on malicious behavior. However, the threat is considerably broader. Insider negligence and insider accidents comprise a greater and growing proportion of information security incidents. Chief information security officers (CISOs) who limit their thinking to malicious insiders may be gravely miscalculating the risk.
The insider threat has intensified as people have become increasingly mobile and hyper-connected. Nearly every worker has multiple, interconnected devices that can compromise information immediately and at scale: impact is no longer limited by the amount of paper someone can carry. Simultaneously, social norms are shifting, eroding loyalty between employers and employees. A job for life is being replaced by a portfolio of careers.
How do organizations determine who is trustworthy enough to be let inside – then build and maintain loyalty with a transient workforce? How do organizations manage risk while minimizing costs related to vetting, security checks, and identity and access management?
Malicious or Not, the Damage is Real
Insiders can unknowingly facilitate the actions of malicious outsiders. By responding to phishing emails, for example, insiders can enable external attacks to succeed where they might otherwise fail. I remember reading that one organization tested their employees by sending 150,000 fake phishing emails and nearly 50 percent of recipients clicked on the link within an hour. The USPS provides another cautionary tale: after being hacked via phishing in September 2014, the inspector general tested security policy compliance by sending a bogus phishing email to a sample population of postal workers—25 percent of the recipients clicked on the link in the faked email, and less than 10 percent reported the suspicious email as required.
Insiders can also intentionally assist external attackers. According to Charles Hecker and Eben Kaplan, there have been instances where “seasonal, temporary or part-time workers used their short-term access to company systems and processes to assist outside actors in perpetrating substantial frauds. Once safely on the outside, their inside knowledge helps them manipulate their former co-workers and their former employer’s fraud prevention measures.
With a few notable exceptions, the impact of information being compromised is comparable, irrespective of whether the insiders act maliciously, negligently or accidentally. In contrast, the likelihood can vary considerably, and depends on the complexity of people, including their motives, loyalties, ideologies and relationships with organizations.
The Trust Factor
Organizations recognize that they need to trust insiders to behave appropriately. Workers undergo background checks before starting, and may earn greater trust as their service and seniority increases. Organizations also require professional certifications for certain roles and provide training courses to equip their people with knowledge and skills they need to remain trustworthy and develop strong security habits.
Organizations’ reliance on trust as a control has increased dramatically with advances in information technology and changing work environments. More and more people are being given long-term access to organizations’ critical systems – while there are more short-term contractors and, according to Carl Colwill, it is “now more normal for staff to move between organizations and regions on a regular basis.”
How many organizations truly understand the aggregate risk from the trust they put in their people, from system administrators to everyone who is given a laptop or allowed to use their smartphones and tablets at work?
Insider Risk: Understanding Impact and Likelihood
To understand the risk posed by insiders, organizations must understand both the impact and likelihood of insider threat-driven incidents. In other words, ask yourself what happens when employees break trust, and what’s the empirical probability such incidents will occur in your organization?
Workers need privileges to perform their roles responsibly. A payroll manager, for example, has an obligation to ensure employees are paid the correct amount, which in turn requires access to sensitive salary information.
Privileges should be accompanied by technical and management controls, which are designed to limit risk. Access to payroll data is restricted to authorized individuals and strategic segregation of duties can ensure that sums are valid before being paid, reducing the likelihood of fraudulent payments.
There are limitations to these controls, so privileges always come with some degree of trust. Organizations are trusting that a payroll manager will not divulge salary data maliciously, negligently store it in an unauthorized cloud, or accidentally email it to a list of inappropriate recipients.
Assessing Probability
ISF Member organizations are adept at estimating the impact, supported by tools including the Business Impact Assessment and Business Impact Reference Table highlighted in the ISF Information Risk Assessment Methodology 2 (IRAM2).
Likelihood is more difficult to determine. The likelihood of an insider threat being realized can be thought of as the probability that an insider will behave in a way that does not uphold the trust placed in them. Numerous factors influence whether or not trust will be upheld.
Previous ISF research on insider threats described a useful model to examine what happens when people have a motive, opportunity and means. These ideas can be extended by considering how trust plays a role in each type of risky behavior:
Malicious: For malicious incidents, the breach of trust is often clear, as it was when an employee kept sensitive proprietary information after termination and provided it to a competitor where he became a paid consultant.
Whistleblowing is related; however, the intent tends to be based on ideologies or morals. For example, Edward Snowden, who gathered and leaked classified documents on government surveillance, asserts that he acted out of loyalty to defend the U.S. constitution from illegal acts, not out of malice toward his organization.
Negligent: Negligent behaviors often occur when people look for ways to work around policies they feel hinder their ability to carry out their responsibilities. Insiders are expected to follow policy, but may also receive contradictory instructions, such as the need to meet a deadline or financial target.
Most workers recognize the importance of compliance and have a general awareness of security risks. Unfortunately, their workarounds can be less secure than they realize. One worker justified violating policy and using unencrypted USB drives because they are easier to obtain and use than encrypted ones. He mistakenly believed that security could be preserved by simply deleting files after use.
Insufficient oversight can lead to negligent insider risk; negative incidents often call attention to board members’ obliviousness to widespread illegal or risky activities.
Accidental: A large majority of ISF Members have said that accidents were more common and of greater concern than malicious acts. Accidents also form a significant portion of information security incidents included in Verizon’s 2015 Data Breaches Incident report.
- More than 100,000 incidents are grouped into nine basic patterns, the largest of which is miscellaneous errors at just under 30 percent.
- Three of the top four categories of miscellaneous errors are accidental behaviors, including misdelivery, publishing error and disposal
Managing Insider Risk and Building Internal Trust
Managing risk posed by the insider threat should extend across all three types of risky behavior: malicious, negligent and accidental. Once the risk is assessed, immediate results can come from applying technical and management controls, and from aligning roles, responsibilities, and privileges throughout the employment life cycle.
But that alone is not enough. Organizations must nurture a culture of trust, one where the organization can trust its insiders – and insiders can trust the organization in return. Organizations with a high exposure to insider risk should expand their insider threat and security awareness programs.
The trust organizations are placing in insiders has grown with advances in information technology, increasing information risk and changing work environments. This trend will continue as the volume of information insiders can access, store and transmit continues to soar – and mobile working for multiple employers become the status quo.
Recognize that technical and management controls have limitations. Organizations need to trust their insiders to protect the information they handle – and will always face some risk of that trust not being upheld. Remaining purposefully engaged with employees through ongoing oversight and training can help management detect risky activity before it’s too late.
Finally, embrace a deeper understanding of trust. Organizations must understand where and how they are trusting their insiders – and must augment technical and management controls by helping people to become more worthy of the trust placed in them. Equally, leadership should ensure their organizations are worthy of trust in return.
About the Author: Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include strategy, information technology, cyber security and the emerging security threat landscape across both the corporate and personal environments. Previously, he was senior vice president at Gartner.
