Skip to Content

Insider Threats: Getting to the left of Boom!

Dan Leyman
February 15, 2021

Many experts see 2021 as the year of insider threats. As we are aware, most people are experiencing more life stressors and stronger emotions than in normal times. This creates an increased risk for insider threat activities. This has been spotlighted by Forrester. They predict insider incidents will cause 33% of data breaches in 2021, up from 25% in 2020.

Why the increase?

  • Strong emotions may distract an employee, causing them to become negligent or inadvertent insiders. As their controlled environment changed in the past year, employees working remotely may be more likely to click on links in phishing emails, circumvent security practices, or inadvertently damage organizational assets or data.
  • People may be more likely to take intellectual property with them when they move to another organization.
  • Increased life stressors and emotions can result in an employee lashing-out to sabotage the organization or engage in workplace violence.

Are these insider risks managed effectively by traditional security operations?

Most organizations have technical controls in place to identify data-driven potential insider risks, such as data loss prevention (DLP) software. While it is unlikely you will be able to stop all insider behavior, organizations can do better. The news media reports insider risk incidents every day, and many more don’t make the news. Companies handle the incidents internally to avoid the complications external exposure brings. One insider case involved an automobile manufacturer whose employee modified the vehicle’s manufacturing operating system and stole information.[1] The employee installed and modified the software within six months of hiring. The company discovered the modification and confronted the employee. Had the company identified and aggregated the following insider indicators sooner, they might have prevented the sabotage and damage.

  • Contextual indicators
    • The organization recently hired the insider.
    • He had access to extremely sensitive information.
  • Human behavioral indicators
    • The insider complained of not being in a sufficiently senior role in the organization.
    • He demonstrated poor job performance.
    • He was disruptive and combative with colleagues, resulting in his assignment to a new role.
    • He expressed anger at his role reassignment.
  • Technical control indicators
    • The insider exceeded his authorized access to change the manufacturing operating system.
    • He installed software on three separate computer systems to export the confidential data, even after he left the company.

Note that the technical indicators occurred at the end of this series of events. The human behavioral indicators started occurring “within a few months “of automaker hiring the insider. A holistic insider risk program, aggregating and analyzing not only the technical indicators, but also the contextual and human behavioral indicators, might have allowed the company to identify the insider earlier, increase monitoring efforts, and intervene before he could exfiltrate sensitive information and damage the organization.

What technical-centric insider programs miss that a holistic insider risk program provides?

In addition to traditional technical control indicators, organizations also need to consider contextual indicators, such as who has access to critical assets and their role in the organization. Mature, effective insider risk programs take the necessary next step to prevent insider damage. They include “human behaviors” such as life stressors, ethics policy violations, performance issues, and disciplinary actions in their indicator aggregation and risk analysis, thereby positioning the organization to intervene and prevent considerable damage. Correlating, aggregating, and analyzing indicators from each category allows the organization to anticipate and manage potentially negative issues and attain a more comprehensive risk picture.

What is the solution and benefits of a holistic insider risk program?

Starting and maturing an organization-wide insider risk program may be a daunting task for some organizations. It is a journey, not a sprint to the finish line. Key, high-level steps for developing a holistic program include:

  • An organization-wide assessment

This can identify existing components, processes, and data necessary for developing a comprehensive insider risk picture and develop a strategic vision roadmap to achieve your program maturity goals.

  • Buy-in from many stakeholders

You will need to gain buy-in from many stakeholders throughout the organization to aggregate the necessary indicators. Cybersecurity contributes indicators from computer networks and systems. Physical security provides indicators from badging systems and other physical security controls. Ethics can include violation information from their systems. Human Resources maintains employee background, performance, disciplinary, and other beneficial information. Finance can provide wage garnishment and other financial information pertinent to insider risk. And legal is essential to help navigate privacy and other legal pitfalls. Organizations are already collecting almost all the data that the insider risk program uses. The more effort you expend to obtain stakeholder buy-in and cooperation, the more robust your insider risk program will be, and the better you will be able to address your overall organizational risk environment.

  • Documentation

Creating and evolving foundational documentation and appropriate policies, processes, and procedures are essential for your program operations.

  • Training

Training program personnel and providing role-based training and awareness to employees will help tremendously in mitigating insider risk.

  • Centralize data collection

Once your program is operational, consider deploying a platform to collect, integrate, and analyze insider risk indicators.

  • Metrics and reporting

Identify metrics and reports to optimize your program and demonstrate program business value and return on investment.

  • Incorporate trusted third parties

Expand your program to trusted partner organizations, contractors, and supply chains.

  • Optimize

Finally, realize your need to continuously reevaluate the program to determine its effectiveness and ensure it evolves.

Getting to the left of boom!

As seen above, human behavioral, contextual, and technical indicators as part of a holistic insider risk program allow organizations to better identify the insider before they travel too far down the wrong path. Timely intervention can help the employee avoid a dire situation, allow organizations to retain a highly trained, valuable employee, and avoid costly damage to both the organization and its reputation.

Please contact us with questions about this article or to help you build an effective insider risk program.

Follow me on LinkedIn or write to me.

To find out more about how we can help you, visit our cybersecurity services page.