Insider Threat: Is Your Business Simply Secure From the Inside?
Poor Elon Musk has been going through a difficult time with Tesla at the moment, the last thing he’d needs to deal with is employee sabotage:
Elon Musk sends company email about 'extensive and damaging sabotage' by employee
Tesla CEO Elon Musk sent an email to all employees on Monday morning about a factory fire, and seemed to reference…
But Tesla isn’t the only company this has happened to. There seems to be a different news story every week about how this or that company has had a data leak of some sort.
If you hold business critical data (and let’s be honest which businesses doesn’t?!) YOUR BUSINESS IS AT RISK. Not only facing threats from the outside through hackers or viruses, you may have a disgruntled employee (because they’ve just been told there is a redundancy…the Tesla story) or maybe a careless user sending a mistaken email. According to McAfee, 43% of data breaches come from within an organisation. But, whichever way it happens it can be an embarrassment to a company of any size. Of course, the worst outcome is that you can be put out of business.
On a mission to keep people and businesses safe when faced with the challenges of the modern world, Simply Secure hosted a event with leading insider risk specialist, Bill Windle, CyberInsider Ltd, on the Isle of Man to give guidance and advice on a specific potential threat to their business — insider threat. While Bill’s talk was aimed at UK-based organisations, it was based on authoritative principles contained in UK national guidance and, in Bill’s experience, these principles are widely applicable.
The majority of the current adult population didn’t grow up understanding ‘cyber’, and as such we notoriously disclose more information online than we think. We use Facebook to “check-in” to the airport, announcing to the world we’re heading on holiday for the next two weeks. If a half savvy criminal was to find out where you lived then that would definitely be a handy bit of info.
However, senior leadership teams don’t need to understand the world of cyber in order to mitigate risk to their company. Rather, they need to understand the most effective ways to reduce their risk and which, as well as reducing insider risk also strengthen their organisation more broadly.
It was really interesting to learn that one of the most likely employees to become an insider threat is one who feels morally superior to their employer. They feel their employer has “done something to deserve it”.
Who are these bad actors and when do they strike?
- usually long-standing, formally loyal employees, to whom something happens along the way to alter their feelings towards their employer (such as perceived unfair performance reviews and rewards, or actions taken by the employer which the employee feels are unacceptable). This is where their previous loyalty can turn to betrayal.
- Leavers, where approx 10% of company leavers take IP or client data with them because they feel they are entitled to take it and there will be no consequences in doing so. This theft is often opportunistic in the absence of effective deterrents.
- Malicious acts are usually committed approx 3 weeks before an insider leaves the company.
“Most people want to do the right thing most of time, they deserve the trust. However as a security professional you have to use business judgement to ensure risk is mitigated.” Bill Windle, Cyberinsider
It was noted by Bill there isn’t a whole host of published research on this topic, probably due to the commercially sensitive nature. However if you would like to read further around the area, Bill referenced several well-respected sources of insider threat case-based research and insight including:
- Centre for the Protection of National Infrastructure (CPNI)
- Insider Threat Unit at US CERT
If you were not able to make Simply Secure’s event, my top takeaways are:
Ultimately, the CEO is responsible for the strategy, and also the fall out from lack of strategy, when it comes to insider risk issues. If you are at the top of your business your own “loss” reputation can even follow you when you are trying to move on to another company . It’s pretty important you figure out how you deal with it before it happens.
If you’re a CEO and you haven’t appointed an SAO, Single Accountable Owner, of insider risk, then it’s you…unless you appoint someone. Once you have your SAO in place you/they can create a strategy and form a working group. That SAO then reports into the CEO, helping to build trust and ensuring transparency across the organisation. They can ensure there are effective policies on whistle blowing, for example, and create trusted points of contact within your organisation to stop issues before the arise.
There are questions you can ask your SAO:
- What are our Top 5 threats?
- What is the Return on Investment (RoI) on our insider risk defences, including, specifically, monitoring for insider risk?
- What’s our company Insider Risk Strategy and what progress is being made?
- What more can the Senior Leadership Team do?
- What Potential Risk Indicators are we using and in what ways are they being used?
But you can just outsource, right? Well not on this occasion. Bill reminded the audience that if you’re outsourcing work, including cloud services for example, then you are putting your trust into a company/ people outside of your own. You can’t outsource this problem and think you’ve wiped your hands of the issue, unfortunately. Your outside service provider could have it’s own insider risks! A good cloud service provider will have their own documented approach — so ask for it before contracting. Be sure to consider organisations which ‘touch’ yours.
Working with people, means it’s about people. If it’s an insider threat which is the problem we are dealing with an employee inside the company.
The culture at your company goes a long way to mitigating the risk of insider threats. Bill encouraged the audience to review and reinforce company culture in a changing landscape. Deloitte’s recent publication “2028 Global Human Capital Trends” states 76% of millennials, are looking for employers to fill the trust gap they’ve lost in governments. In 2020 one third of the workforce will consist of millennials.
2018 Global Human Capital Trends
Organizations are no longer judged only for their financial performance, or even the quality of their products or…
Do you look at your staff through a “people risk lens”? How well observed are your company values? Are you supportive of colleagues or is the company breeding a culture of the closed behavior, where your employees feel like you’re trying to catch them out? Transparency is key.
Being transparent says “yes I want to be a part of this organisation”, aim to restrict only sensitive commercial info. As the 2017 paper, “Managing Insider Threat Managing insider threat through the lens of a seasoned investigator” from EY suggests you have to have “absolute transparency in purpose and objective” to mitigate threats.
“Back in 2015, we called this trend toward greater transparency “the naked organization”; in 2018, individuals know and expect even more from companies than they did three short years ago.” Bill Windle, CyberInsider
A company Bill had worked with previously, made for a good example showing the choices businesses have to make in regards complex cultural benefits vs basic profit increases. They decided not to take on a client, even though it would be a profitable client, because the company felt that employees would feel polarised ethically. In essence they felt that some of the policies and behaviours of the client were ethically and culturally incompatible. I don’t suppose I need to point out the downward slope increasing staff costs, staff churn and eroding future revenues.
This company made a decision based on clarity of identity, rather than growth at any cost. They held heir values up higher than their profit. Who knows what financial outcome that had (but it certainly would enamour me to such a company).
With external brand damage and internal morale being hard metrics to quantify it can be easy to overlook these costs, but I felt that a lot of what Bill was saying could be linked to company culture. Culture plays a huge part in it in saving your company from insider risk, among other things (and really deserves more time than this article merits).
When it comes to providing an effective strategy, even if you give this to an SAO, it’s clear that having an idea of which strategies would be effective is useful to any operation.
One strategy could be you target your highest risk staff and focus on that one area, company leavers for example. Is it worth having them on board for another month? Do they need access to as much company critical data once they hand their notice in? Do they even need to be there at all? It could be cheaper in the long run to minimise your risk and give them the time before they leave paid, but not in the office. It’s not uncommon that people’s head’s likely to leave before their body physically does.
For insider risk monitoring, Bill made it clear that companies need aims, objectives and governance which are fit for purpose as well as an approach which was demonstrably objective, proportionate and risk-based rather than subjective. We all need to consider the best strategy for our businesses.If your employees know there is a strategy in place with stringent measures and consequences, it makes sense that they’ll be less likely to do it in the first place. In the end the strategy needs to improve the business and make a material difference.
“Training is normally more valuable than policy.” Bill Windle, CyberInsider
It helps if the whole company is on the lookout for potential risk factors for insider threats:
Bill suggested a range of options to assist with insider threats, and each company will need to take an individual approach. Above, I’ve condensed what was a fascinating info-loaded 90 minutes into a few paragraphs.
If you are concerned about how best to address and manage your potential insider risk it and would like specialist help, Bill recommended The Register of Security Engineers and Specialists (RSES) is listed here, which is sponsored by CPNI.
Bill advised business employees at all levels to consult HoMER. — a framework for understanding and mitigating insider risk. All of Bill’s talk was based on HoMER’s principles. It’s a comprehensive document, but worth a read. (It’s split into sections based on level of role, so you can skip to the relevant bit if you don’t want a deep dive).
It’s not a one solution fits all. But the following will help:
- CHOOSE — Appoint a SAO (single accountable owner)
- POSITION — Align your senior team on what insider risk means for your company and how it is managed
- GOVERNANCE — put in place effective insider risk governance. Make your approach transparent, risk-based and proportionate, while protecting knowledge of gaps in your defenses.
- STRATEGY — Create and apply your Insider Risk Strategy and ensure it meets your cultural, privacy and legal needs
- TRAINING — Put in place effective insider risk training to ensure your functional leads and supervisors, respectively, understand how the senior leadership team expects them to manage the specific threats they encounter.