“There’s an app for that.”
Apple’s ubiquitous tagline-turned-punchline is still going strong, 6 years after its debut. As our lives are increasingly driven and enhanced by digital tools of all kinds, the humorous irony resonates: we can’t actually control everything from our smartphones. One of the thorniest issues facing security professionals is a perfect case in point: we can’t rely on technology to keep our technology and data safe from our employees’ bad habits, gullibility, laziness, or malfeasance.
Trust? There’s no app for that.
Increased Exposure from Insiders
Numerous factors are increasing organizations’ exposure to threats posed by insiders, and technical controls are limited. To combat these threats, organizations must invest in a deeper understanding of trust, and work to improve the trustworthiness of insiders.
The insider threat has intensified as people have become increasingly mobile and hyper-connected. Nearly every worker has multiple, interconnected devices that can compromise information immediately and at scale: impact is no longer limited by the amount of paper someone can carry. Simultaneously, social norms are shifting, eroding loyalty between employers and employees. A job for life is being replaced by a portfolio of careers.
While estimates vary, Information Security Forum analysis of the 2015 Verizon Data Breach Investigation Report has found that up to 54 percent of incidents reported in 2014 were a direct result of insider behavior. Leading organizations across all sectors are looking for ways to address the evolving insider threat. Leaders who ignore or encourage inappropriate insider behavior should expect financial, reputational or legal consequences.
How do organizations determine who is trustworthy enough to be let inside – then build and maintain loyalty with a transient workforce? How do organizations manage risk while minimizing costs related to vetting, security checks, and identity and access management?
Most research on the insider threat focuses on malicious behavior. However, the threat is considerably broader. Insider negligence and insider accidents comprise a greater and growing proportion of information security incidents. Chief Information Security Officers (CISOs) who limit their thinking to malicious insiders may be gravely miscalculating the risk.
Insiders Can Be Complicit
Insiders can unknowingly facilitate the actions of malicious outsiders. By responding to phishing emails, for example, insiders can enable external attacks to succeed where they might otherwise fail. I remember reading that one organization tested their employees by sending 150,000 fake phishing emails and nearly 50 percent of recipients clicked on the link within an hour. The USPS provides another cautionary tale: after being hacked via phishing in September 2014, the Inspector General tested security policy compliance by sending a bogus phishing email to a sample population of postal workers—25 percent of the recipients clicked on the link in the faked email, and less than 10 percent reported the suspicious email as required.
Insiders can also intentionally assist external attackers. According to Charles Hecker and Eben Kaplan, there have been instances where “seasonal, temporary or part-time workers used their short-term access to company systems and processes to assist outside actors in perpetrating substantial frauds. Once safely on the outside, their inside knowledge helps them manipulate their former co-workers and their former employer’s fraud prevention measures.
Insider Threat Becomes Insider Risk
With a few notable exceptions, the impact from information being compromised is comparable, irrespective of whether the insiders act maliciously, negligently or accidentally. In contrast, the likelihood can vary considerably, and depends on the complexity of people, including their motives, loyalties, ideologies and relationships with organizations.
To understand the risk posed by insiders, organizations must understand both the impact and likelihood of insider threat-driven incidents. In other words, ask yourself what happens when employees break trust, and what’s the empirical probability such incidents will occur in your organization?
Trust Sits at the Epicenter of Insider Risk
Workers need privileges to perform their roles responsibly. A payroll manager, for example, has an obligation to ensure employees are paid the correct amount, which in turn requires access to sensitive salary information.
Privileges should be accompanied by technical and management controls, which are designed to limit risk. Access to payroll data is restricted to authorised individuals and strategic segregation of duties can ensure that sums are valid before being paid, reducing the likelihood of fraudulent payments.
There are limitations to these controls, so privileges always come with some degree of trust. Organizations are trusting that a payroll manager will not divulge salary data maliciously, negligently store it in an unauthorised cloud, or accidentally email it to a list of inappropriate recipients.
Organizations recognize that they need to trust insiders to behave appropriately. Workers undergo background checks before starting, and may earn greater trust as their service and seniority increases. Organizations also require professional certifications for certain roles and provide training courses to equip their people with knowledge and skills the need to remain trustworthy and develop strong security habits.
Organizations’ reliance on trust as a control has increased dramatically with advances in information technology and changing work environments. More and more people are being given long-term access to organizations’ critical systems – while there are more short-term contractors and, according to Carl Colwill, it is “now more normal for staff to move between organizations and regions on a regular basis.”
How many organizations truly understand the aggregate risk from the trust they put in their people, from system administrators to everyone who is given a laptop or allowed to use their smartphones and tablets at work?
Understanding Insider Risk
ISF Member organizations are adept at estimating impact, supported by tools including the Business Impact Assessment and Business Impact Reference Table highlighted in the ISF Information Risk Assessment Methodology 2 (IRAM2).
Likelihood is more difficult to determine. The likelihood of an insider threat being realized can be thought of as the likelihood that an insider will behave in a way that does not uphold the trust placed in them. Numerous factors influence whether or not trust will be upheld. Previous ISF research on insider threats described a useful model to examine what happens when people have motive, opportunity and means. These ideas can be extended by considering how trust plays a role in each type of risky behavior.
For malicious incidents, the breach of trust is often clear, as it was when an employee kept sensitive proprietary information after termination and provided it to a competitor where he became a paid consultant.
Whistleblowing is related; however, the intent tends to be based on ideologies or morals. For example, Edward Snowden, who gathered and leaked classified documents on government surveillance, asserts that he acted out of loyalty to defend the US constitution from illegal acts, not out of malice toward his organization.
Negligent behaviors often occur when people look for ways to work around policies they feel hinder their ability to carry out their responsibilities. Insiders are expected to follow policy, but may also receive contradictory instructions, such as the need to meet a deadline or financial target.
Most workers recognize the importance of compliance and have a general awareness of security risks. Unfortunately, their workarounds can be less secure than they realise. One worker justified violating policy and using unencrypted USB drives because they are easier to obtain and use than encrypted ones. He mistakenly believed that security could be preserved by simply deleting files after use.
Lack of oversight can rise to the level of a negligent insider risk, such as when a scandal uncovers that board members had no knowledge of widespread illegal or risky activities.
A large majority of ISF Members have said that accidents were more common and of greater concern than malicious acts. Accidents also form a significant portion of information security incidents included in Verizon’s 2015 Data Breaches Incident report.
- More than 100,000 incidents are grouped into nine basic patterns, the largest of which is miscellaneous errors at just under 30 percent.
- Three of the top four categories of miscellaneous errors are accidental behaviours, including misdelivery, publishing error and disposal error.
Accidents can have significant consequences; one organization was fined £120,000 after 11 unencrypted emails containing sensitive childcare information were sent to the wrong address.
Recommendations for Managing Insider Risk
Managing risk posed by the insider threat should extend across all three types of risky behaviour: malicious, negligent and accidental. Once the risk is assessed, immediate results can come from applying technical and management controls, and from aligning roles, responsibilities and privileges throughout the employment life cycle.
But that alone is not enough. Organizations must nurture a culture of trust, one where the organization can trust its insiders – and insiders can trust the organization in return. Organizations with a high exposure to insider risk should expand their insider threat and security awareness programs.
Embrace a Deeper Understanding of Trust
The trust organizations are placing in insiders has grown with advances in information technology, increasing information risk and changing work environments. This trend will continue as the volume of information insiders can access, store and transmit continues to soar – and mobile working for multiple employers become the status quo.
Leading organizations can combat the insider threat by implementing the recommendations I’ve referenced above. Start by assessing insider risk. For immediate results, implement technical and management controls, and align roles, responsibilities and privileges throughout the employment life cycle.
Recognize that technical and management controls have limitations. Organizations need to trust their insiders to protect the information they handle – and will always face some risk of that trust not being upheld. Remaining purposefully engaged with employees through ongoing oversight and training can help management detect risky activity before it’s too late.
Finally, embrace a deeper understanding of trust. Organizations must understand where and how they are trusting their insiders – and must augment technical and management controls by helping people to become more worthy of the trust placed in them. Equally, organizations should foster a culture that makes the organization worthy of trust in return.
About the Author
Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include strategy, information technology, cyber security and the emerging security threat landscape across both the corporate and personal environments. Previously, he was senior vice president at Gartner.