In the information and cybersecurity domain, it is well-documented and much discussed that the most significant threat to an organization often stems from its own employees. This was highlighted once again in a recent survey finding that most security breaches are caused by insiders, either intentionally or unintentionally. Insider threats are one of the most difficult threats to mitigate because the very users who must have access to networks and data are also the users who create the most risk to the same data using the same infrastructures. These users could be employees of the organization or staff contracted from service providers who have access to information resources.
Insider threats can appear in the form of a disgruntled employee, a mole working for a person or entity outside of the organization, or an unintentional act due to negligence (i.e., unaware staff unknowingly exposing sensitive data).
Sometimes an unknown backdoor or loophole in the security framework may also inadvertently allow a data breach to happen. An unassessed security policy exception is one such example. This type of threat is challenging because it is harder to control, and sometimes to detect, since authorized users need access to information resources to perform business activities.
To mitigate these threats, cyberprofessionals must consider both unintentional and intentional behaviors that can result in threat materialization. There are straightforward methods of controlling unintentional behavior, but intentional threats are more difficult to mitigate.
In his ISACA® Journal vol. 1, 2017, article “The Persistent Insider Threat: Is Enough Being Done?” author Rodney Piercy, an IT security manager for the US Army, identified several control areas for mitigating insider threats:
- Policies and procedures—Enterprises must implement security policies that clearly specify the security behaviors and awareness levels expected of their staff, and what the penalties are for not adhering to expectations. Explanations that include rationale are important to ensure that the staff understand security threats the organization could face and, therefore, the need to be prepared. Defined procedures should include the actions to be taken if expectations are not met.
- Training—It is important to create and maintain awareness of information security requirements with staff. Training should be conducted at regular intervals and staff should be evaluated on their understanding of the organization’s information security requirements. Awareness training is one of the most effective methods for controlling internal threats due to unintentional behavior.
- Culture—Building a security culture is an important factor in curbing unintentional insider threats. Senior management’s awareness and promotion of information security needs and the behaviors it exhibits toward information security are critical. Senior managers must demonstrate behaviors that convey that information security is a serious business activity. Management should also send the message that it will not tolerate behaviors that are not conducive to information security, even if it means that deadlines could be missed. By demonstrating ideal behaviors, senior management can be a great motivator for other staff.
- Automation—Automation can help an organization minimize human error that might occur due to fatigue or negligence. Automated controls are technology agnostic and are especially useful for performing repetitive tasks that follow a standardized process. Since automated controls are indifferent, they do not provide shortcuts that could create loopholes and introduce vulnerabilities in the control execution. Major controls that help prevent unintentional and accidental errors can be automated tasks in areas such as access controls, segregation of duties (SoD), interfaces and log monitoring for detecting breaches.
- Hiring practices—Security professionals should consider this the most important control. New employees are the ones who secure an organization’s information. Whether they are salaried employees, contracted employees or an outsourced vendor’s resource, the person being onboarded must have the right attitude toward information security and ethics. Once onboarded, all staff should be treated equally from an information security perspective. Many organizations fail to implement equal hiring practices for contracted employees or employees of outsourced vendors.
Insider threats are persistent. It is important to review controls regularly to ensure that new threats and vulnerabilities do not elevate the possibility of an insider threat materializing. It can be difficult to control mistakes made by authorized users that may result in data breach, but effective log monitoring can be a useful tool for detecting errors in a timely manner. Controlling insider threats is critical to an organization’s survival. Only by utilizing proper controls can audit and security professionals help minimize incidents and, therefore, impact.
Sunil Bakshi, CISA, CRISC, CISM, CGEIT, ABCI, AMIIB, BS 25999 LI, CEH, CISSP, ISO 27001 LA, MCA, PMP
Is a consultant and trainer in IT governance and information security.