When security experts talk about insider threats, all too often they treat technology as both part of the problem and the solution. They highlight how technology can be the force that allows insider threat to flourish, and conversely how it can be used as a primary prevention tool.
But it’s important to keep in proper perspective the role technology plays on both sides of this issue.
Technology — the Internet, mobile devices, and wireless access — is simply a means to an end. Gaining access to classified or sensitive assets through an insider source, whether by malicious or accidental means, was happening long before the Internet and corporate networks became mainstream. And it will continue to take place. Why? Because criminals recognize that gaining access through inside sources is an effective way to gain access to an organization’s most valued information and resources. At the same time technology is also a tool that organizations can employ to mitigate unlawful access.
Insider threats, at their core, are often rooted more in problems with organizational processes. Some insider threats are a result of insiders with too much access who steal or misuse their access to information, and others are unwittingly used by an external agent as a means to access information. The common thread in each of these scenarios is access —whether it is stolen, mishandled or misappropriated — and access is about organizational process.
These organizational process issues raise important questions for companies to gain clarity around. To whom does your organization give what level of access? And how do they monitor how individual access is used?
Employ Principle of Least Privilege
Organizations should consider how much access they are giving to each employee. Security best practices dictate companies employ the ‘principle of least privilege’. This entails giving users the minimum privileges or access they need to do their job.
Organizational process should begin, of course, with vetting individuals that have access to sensitive information, but even in the case of a well-authenticated employee, an organization should exercise reasonable caution.
Case in point, the issue at the heart of the Bradley/Chelsea Manning case was not that Ms. Manning misappropriated information, but that she had more access than she should have been granted to do her job. In addition, she was given access to sensitive information despite the fact that there were indicators that she could be a security risk, suggesting a gap in communication between vetting results and the team that determined her access level.
Sometimes the telltale signs that indicate an individual may misuse or share sensitive information are present, other times they are more difficult to pinpoint. The bottom line is that organizations should, as a rule, provide their employees with the minimum access they need to properly do their jobs, and no more. This remains the best way to protect any organization’s most valuable assets, its data.
Internal Insider Threat Training
Government agencies and private industries that deal in sensitive information should train human resources, line managers, IT security personnel and others who are in a position to access classified data or work with those who do — on how to pick out a potential bad actor. Just as government agencies launched the ‘say something if you see something,’ marketing campaign in the wake of the 9/11 terrorist attacks, organizations should encourage employees to be more vigilant for potential risks from within.
Additionally, organizations that have a particular concern about insider threat should consider reviewing and approving access to individuals who have the highest level of clearance to sensitive information, to ensure that they can still be deemed trustworthy.
Internal Insider Threats Monitoring
When an insider is identified as having provided access to organizational assets for illegitimate purposes, it is important to first determine whether this action was malicious or simply accidental. For example, if they opened a spear-phishing email attachment, which launched a virus onto the network, that would indicate a need to refresh them on security training.
When information breaches occur, human resources, security personnel and/or line or department managers should review individual records looking for indicators that their work has changed over time. They should also assess if there is a criminal, financial or personal issue that appears to exist that could be influencing their judgment, or if there is a need for counseling.
Security teams should continue to monitor all organizational technology access points to identify where more rigorous security measures are warranted. At the same time, it makes sense to examine organizational processes — including security policies and processes that relate to onboarding and security privileges. Not placing the proper emphasis on strengthening organizational processes to mitigate insider threats sets your company up for unnecessary risk. Proper risk assessment and insider threat program development should seek to minimize the weakest link in the chain — the human factor.