How can organizations meet the insider threat?
Collaboration inside orgs is the best way to ensure threats to data, systems don’t take root
“We have met the enemy and he is us” is a famous quote by cartoonist Walt Kelly that organizations would do well to keep in mind as they work to protect their systems and data. That’s because some of the biggest threats come from the inside.
History shows data breaches often have some kind of insider component, and the damage caused by insider attacks can be especially severe because it can take longer to detect an intrusion at a company from someone who has permission to be there.
Ironically, the best way to head off the insider threat is from the inside. By that, I mean different internal departments in any organization need to formally band together to share information, strategies, and the work of spotting warning signs.
We’re doing that here at the Federal Reserve Bank of Boston. The information security team that I lead meets regularly in a group with our human resources, legal, and law enforcement departments. We collaborate to prevent insider threats and stop the damage before it starts.
Insider threats can arise from malice – or carelessness
An insider threat can come from a range of sources, and a malicious motive is not required. For instance, one of the biggest insider threats is phishing, when a cyber-attacker uses emails to try to infiltrate networks – often by getting an unaware employee to click a fraudulent link.
Of course, plenty of insiders have set out to harm organizations. The case of former CIA employee Edward Snowden is a classic example of the damage a motivated insider can do. His highly publicized leak of classified information from the National Security Agency jolted companies into recognizing the potentially devastating magnitude of the insider threat.
Common sense practices can reduce insider threats
According to Verizon’s 2019 Data Breach Investigation Report, 30 percent of breaches of the public sector are caused by insiders who misuse or make mistakes related to their access privileges. Meanwhile, Carnegie Mellon University’s Common Sense Guide to Mitigating Insider Threats reports that 30 percent of respondents in the 2017 U.S. State of Cybercrime Survey thought the damage caused by insider attacks was more severe than damage from outsider attacks.
The most recent Carnegie Mellon guide also lists 21 best practices for reducing insider threats. Among them:
- Know and protect your critical assets
- Clearly document and consistently enforce policies and controls
- Anticipate and manage negative issues in the work environment
- Adopt positive incentives to align the workforce with the organization
The guide’s best practices are, indeed, common sense, and they are also critical for a successful insider threat program. But in my opinion, the most valuable part of our program is partnership and collaboration across different functional areas.
Four pillars, four unique views of the insider threat
The Boston Fed’s insider threat program has four pillars, each of which brings a unique view and broader perspective. By meeting and collaborating regularly to specifically discuss insider threats, we help each other put pieces of information together that might fly past us individually.
- Information security monitors loss of data control and inappropriate access to our systems. We can see which employees fit higher-risk profiles and keep an eye on higher-privileged users. We also watch for online activity that looks abnormal.
- Legal has a view on ethics violations and other legal-related matters that could be indicative of an insider threat. They identify relevant legal and regulatory issues, and ensure that any type of investigation and monitoring is done in a fair, consistent way. This is a tricky area, but protecting employee privacy is a priority for the program.
- Human Resources is aware of employee issues that can increase an insider threat. There is a human element to insider risk, and HR has the ability to see potential employee relations patterns developing across a department or the Bank at large.
- Law enforcement can put physical eyes on our insiders, and they’re trained to spot warning signs. Law enforcement sees our employees every day, and can help identify and contextualize behavior that is out of the ordinary.
It’s clear that internal controls are the most effective way to meet the insider threat. Looking inward can be uncomfortable, but the threat is real, the potential damage is huge, and most organizations will find they have the capacity to meet the threat within.