CEO – Reveal Risk – a cyber security, privacy and risk management consulting practice; helping companies reveal and reduce their risks.
Insider threat is not always at the forefront of focus in many companies. There is always a consistent flow of news about companies getting attacked from the outside. However, insider incidents do not usually get reported unless privacy law-regulated data is impacted. Out of sight, out of mind. The perception that “it won’t happen to us” is a common stance for leaders that don’t yet to know they have faced an insider issue.
Who owns insider threat? I’ve seen it managed under info security, physical security, legal and HR. Regardless of the reporting structure, it is critical to plan for a cross-functional capability that bridges all these functions together. The last thing you want to have is unproductive competition for resources, budget or leadership attention.
Let’s look at the types of insider threat actors:
• A malicious insider intentionally takes advantage of access to inflict harm or steal information.
• An unintentional insider makes an error, disregards policies or falls prey to an external attacker.
• An external attacker obtains access to credentials, keys or secrets deceptively.
A good example of the interplay between these types is to look at the recent Twitter attack. For the attack to be successful, it took a motivated external attacker and compromised unintentional insiders with powerful levels of system access.
These risks usually root back to compromised access to sensitive information. “Privileged access” is special access or abilities above and beyond those of a regular user or system account. This access can yield the most damage if not managed. Focusing on privilege adds significant benefit to cybersecurity and insider threat programs. We must think more broadly than the traditional focus on IT administrative access.
In a recent press release, CyberArk CEO Udi Mokady stated, “In modern IT environments, all identities can become privileged under certain conditions, based on the systems, environments, applications or data they are accessing, or the types of operations they are performing.” We must think more holistically to focus on any level of business access and risk that can be perpetrated.
According to the Gartner 2020 Magic Quadrant for Privileged Access Management, “specific influencing factors driving growth in the market include organizations seeking to mitigate the risk of breaches and insider threats, which are often associated with stolen, compromised or misused privileged credentials.”
With IT systems (especially those migrating to the cloud), traditional IT administration is transforming and expanding across functions and business roles. It is not uncommon to have HR, accounting or marketing employees with access to some of the most privileged access. Insider threat teams must have a broad reach across the organization and heavily prioritize where they start and scale their efforts based upon risk to the business.
While this may seem intuitive, many teams still think traditionally and protect IT first if not exclusively. Examples of broader data and impact-focused thinking from an insider threat perspective include the following:
• Ability To Access Sensitive Data: Access that can gain privileged access to the highest sensitivity of business information (financial information, corporate strategies, utility information, guarded secrets, formulas, etc.).
• Ability To Manipulate Data: Access that can manipulate financial reporting data. (e.g., the issues Enron faced with a lack of segregation of duties between individual employees and critical functions of the system and approvals).
• Ability To Process Transactions Or Bypass Controls: Access that can allow high-risk transactions or circumvention of controls that monitor and protect high-risk transactions (fraudulent SWIFT transactions, check kiting, collusion, etc.).
• Ability To Impact Availability Of Systems Or Machines: Access to system infrastructure and applications that can manipulate, disrupt or sabotage information within the operating environments (system admins, developers, accounts that manage business robotics to automate human tasks, etc.).
• Ability To Control Or Manipulate Access: Access that involves administration controls, with the ability to grant and promote access for themselves or any other employee, application, or entity. (e.g., the recent Twitter incident example).
Insider threat programs also include other components, such as policy, data classification, education, detection, response and more. In my experience, it’s easy to fall into the belief that “you can’t stop the bad guy, so just try to catch him” and spend all your budget on fancy detection and monitoring tools.
My tips for building or enhancing your insider threat program include the following:
• Acknowledge that insider threat is real. Identify where you have the most significant risks, and implement a program to address your exposures.
• Be clear on how insider threat and cybersecurity programs overlap (and where they do not). Emphasize where you get double the value in risk reduction.
• Understand that the focal points of insider threat and privileged access programs must transcend beyond IT, regardless of where they report up through.
• Ensure your cybersecurity and insider threat programs are working closely together and driving cross-functional collaboration.
• Prioritize all focus based upon where the risk matters most to your business. “Boiling the ocean” has yet to be a successful strategy for achieving scale and maximizing risk reduction.
Now you understand the importance of an insider threat program. It is always better and cheaper to build a program to manage your insider threat than to rely on post-incident forensics to reveal you had one.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?