By Dan Velez, Director, Insider Threat Operations
This is the season for New Year’s resolutions. Of course, we all realize that some of these “promises” are easier to keep than others. But if experience has taught us anything, it’s that we meet with more success here when our goals are tangibly beneficial and realistically achievable: We know what positive outcomes we’ll derive. And getting there won’t overwhelm us to the point where we quit.
We should take the same approach in “resolving” to confront the ever-growing presence of insider threats, as nearly three-quarters of organizations are vulnerable to these threats, according to survey research from Palerra. But only 42 percent have the right controls in place to prevent them.
I’ve found that organizations typically fail to establish these controls because they’re daunted by the enormity of the issue, i.e., a “Where do we start?’’ syndrome. So I advise them to tackle it like you would a successful New Year’s resolution commitment by adopting the following three attainable and impactful steps:
- Build your program’s foundation upon risk management. I’m asked to attend many client meetings about insider threats, and the conference rooms are inevitably filled with IT engineers. They want to proceed with a completely tech-centric strategy, leaving out the business and “people” part of the equation. What’s needed, I tell them, is the involvement of risk management leaders, so we can align everything we’re doing to the business at hand. Through optimal risk management analysis, we determine what is unique about our organization, and how insider threats can keep us from the pursuit of strategic goals. As part of this, you conduct an inventory to identify your data-based “crown jewels” – what are they, and where do they exist? – and develop a risk management plan to protect each one. The plan should cover not only technical solutions, but the human element. (But more about the latter in our third and final “resolution.”).
- Put someone in charge. Every ship needs a captain, right? Your initiative will go nowhere if you fail to appoint a person with proper credentialing as its manager. Again, the manager does not move forward with strictly “tech” remedies. He or she may not have a deep background in cybersecurity solutions. But the manager must be capable of combining the risk management approach with a technical one to assemble a valuable and lasting insider threat response – one that remains consistent as it’s applied to a cross-section of departments enterprise-wide.
Train, train, train … As promised, this is where the “people” part comes into play. You have incorporated a risk management approach. You have designated a person in charge. Now, you have to bring your program and message to those who represent the “make or break” factor in terms of future success – your employees. Because our final resolution proves so essential, let’s break it down into four critical training components:
- Defining the insider threat. Insider threats come in many forms. They are malicious employees who intentionally steal data, sabotage systems, etc. because they were passed up for promotions and raises – or simply hate their bosses and/or jobs. In addition, there are “accidental” insiders who bear no ill-will toward their organizations, but still invite compromises due to their risky behaviors. Then there are third-parties – the contractors and partners whose level of risk becomes our level of risk due to our business associations and interdependencies upon systems, apps, communications tools, etc. You should make your employees aware of all forms of insider threats.
- Illustrating what insider threat activity looks like. Here is where you educate staffers about what to look for and what to do. In addressing accidental insider scenarios, you must raise awareness about the dangers of shared passwords, and the need to change passwords routinely while avoiding the use of simple, predictable ones. Employees should learn about the latest in phishing scam techniques as well – where did that link come from, and how do I know if I can trust the source? As for malicious insiders, staffers should know how to recognize them … Is a colleague always grumbling about work, the company, etc. and constantly transferring files to a thumb drive? Are the files unrelated to his work? Does he log-in from odd locations, at odd hours? You must explore these and other classic trouble signs.
- Explaining why this matters. Don’t overlook the “who cares?” question, because your employees will ask it – either overtly or quietly among themselves. Enlighten them about the potential for insider threats to trigger productivity disruptions, systems crashes, corporate losses, reputational damage and strategic failure. Such fallout can lead to devastating consequences which affect everyone, as the cost of insider threat incidents now averages $4.3 million, according to research from the Ponemon Institute.
- Announcing what the organization is doing. Using live presentations, printed materials and online resources, walk your people through your intended immediate and long-term actions steps. This includes technical and auditing controls. But you should also provide helpful information about, say, a central website through which staffers can find out about the latest insider threat trends and even share best practices.
With a risk management “big picture” plan, a person in charge and ongoing training/awareness, you cultivate a culture of insider threat deterrence. The culture is there on the office bulletin board and company signage. It’s in the office kitchenette where employees gather to share what they’re observing. It’s in their email inboxes, as your insider threat manager sends the latest in related news and recommendations
As a deterrence culture takes hold, you reduce the potential for pushback on the technologies you’ll soon introduce to monitor for insider threat activity and prevent/mitigate it. Without such a culture, employees may find the technologies intimidating. But once they understand what’s at stake, they’ll not only accept the changes and the program in general – they’ll emerge as advocates for them, as “resolutions” that are worth keeping.