Operational Strategies for Today’s Insider Threat Environment

It has been a decade since U.S. National Security Agency (NSA) contractor Edward Snowden leaked thousands of classified NSA documents to journalists, revealing that the American government was spying on its own people. The Snowden leaks prompted discussions on invasion of privacy, as well as how data is collected, used, stored, and destroyed. Threat management programs that barely scratched the surface of insider vulnerabilities were overhauled to address the looming issue. Insider threats—such as stealing trade secrets, unintentionally exposing login credentials, or purposely sabotaging workplace equipment—were and continue to be top of mind.

No one is immune to insider threats; they are some of the most difficult attacks to detect, defend against, and manage.

At what expense would organizations justify protecting their people, proprietary information, processes, data, and technology without impinging on production? How much protection is too much, balancing risk versus reward?

Organizations’ approach to this balancing act has changed since the shock and awe of the Snowden leaks. The handling of insider threats has evolved from intermittent reactions to being ingrained as part of a proactive process, for example, shifting from simply vetting people based on job history and references to contracting with a third party to review criminal records in any state or country the prospective employee has lived in. Additionally, organizations shifted from trusting employees to respect the access and permissions they have been assigned and following up with individuals if they exceed their authority intentionally or unintentionally to periodically reviewing access rights and permissions to prevent privilege creep.

Organizations have become more transparent about how they manage the data they collect and what they do with it. Just about every website has a privacy statement emblazoned in the footer of the landing page. Virtually unheard of a decade ago, confidentiality and privacy processes have become important tools in the arsenal of mitigating insider threats. The digital side of life saw encryption measures like Transport Layer Security added and robust system monitoring incorporated to monitor and alert when protected confidential data is accessed, copied, or sent outside of the network.

Although security awareness training is more robust now, one challenge that remains prevalent is the risk of unintentional access to the network through clicking on an email link or accidentally providing a way into the network.

Organizations began to realize that solid incident response plans that were already in place to protect against external threats left gaps when it came to dealing with internal threats. Soon, sibling plans were developed to address potential insider threats. Utilizing a holistic approach, all facets of physical, personnel, and cyber threats were considered in developing detection processes.

A key element in recognizing an insider threat is observing and identifying concerning behaviors. When assessing a possible threat, the primary goal is to prevent an incident, whether it is intentional or unintentional. By simply managing insider threats, it is possible to stop the path or change the course of events from a damaging outcome to effectively reducing the risk of loss, regardless of the insider’s behavior (malicious or accidental).

Insider risk programs present various challenges during their inception—including internal collaboration, data sharing, system, and resource limitation—so security professionals must first identify the appropriate controls and align the program with the organization's risk tolerances.

To navigate these challenges, the right questions must be asked.  How does enterprise security risk management (ESRM) support this program? What are the risks and vulnerabilities related that should be monitored real-time, operationally, and enterprise-wide? What tools should be used to address insider risk concerns? Which skills are needed, and how are they acquired? What are the desired insider risk program results that are important to the organization? ESRM establishes a foundation to understand the organization’s risk tolerances and can help program administrators set priorities and identify resources to support the insider risk program.

Fundamentally, the security teams must review and develop a baseline. This means having a clear understanding of the organization’s risk appetite and activities. This baseline helps identify fundamental metrics to support the insider risk program. These metrics include—but are not limited to—physical and logical access control provisioning requirements established on least privileged access, access audits of critical spaces, establishing frequency of security tours, and providing reporting transparency to senior leadership on results.

Instituting physical and logical provisioning is the foundation. This can be done through biometric and card access credentialing, mobile credentialing, background screening, and accountability tools. It is important that the physical identity access management (PIAM) and security incident event management (SIEM) systems share information to see a holistic view of the physical and logical user activity. This can be accomplished through using data analytics AI driven software to report on real-time risks for physical and logical risk behaviors.

There are five areas to consider when developing an insider risk program: mission, enterprise perspectives, grounding, operational strategies, and readiness. Always remember to develop, enforce, and review policies.

Mission

Security’s mission is to educate, influence, and inspire change through an adaptive security model, ensuring alignment and evaluating all aspects of security. Placing focus on both physical and cyber by aligning those teams bestows a holistic view of the potential insider risks surrounding the operational environment. Hence, considerations should be made to test both physical and cybersecurity environments, including human operators’ responses.

Social engineering attacks go by many different names, such as phishing or vishing, but the premise of manipulating users has the same goal: the disclosure of confidential, financial, or network information by tricking users into making mistakes or taking advantage of their trust.

The insider threat does not always originate from a disgruntled employee when it comes to social engineering. An unknowing or reckless employee may cave in to the urgency, curiosity, or fear produced by a well-crafted social engineered message. Through education and annual campaigns, users learn how to identify and manage these requests. Conducting frequent phishing campaigns helps to build confidence in users to pause their actions before proceeding with a suspicious email, phone call, or electronic message. This social engineering can be accomplished through third-party industry resources in collaboration with internal subject-matter experts.

Enterprise Perspectives

ESRM can provide the foundation to have open dialog across all risk management spectrums of the organization. Security must maintain perpetual communication with the C-suite to ensure executive management expectations are met through proper funding and monitoring of the insider risk program. Additionally, ensure physical and cybersecurity strategies have an all-hazards approach that supports and aligns with the insider risk program response protocols.

Grounding

Grounding is understanding the organization’s enterprise risk appetite and knowing that it may be challenging and require leadership influencing. Experience tells us when the risk changes, the organization’s risk appetite should adapt to meet that landscape. ESRM can provide transparency across the risk management spectrum and assist with program direction, accountability, and management expectations.

It’s also important to review insider risk and cyber insurance options with insurers—don’t have a strategy without it.

Operational Strategies

Logical and physical access is a principal element of any mature security program. Background screening for those requiring physical and logical access is a fundamental component to ensure operational practices are consistent with access control procedures for both onsite and offsite employees, which includes vendors.

Make sure that there is continuity of services between employee and vendor screenings, for instance. Before onboarding a new vendor, assess the organization by reviewing its financial status, security plans and processes, how confidential information is handled, and whether an identical security threshold is in place.

Readiness

It is important to measure the readiness of the organization to help identify gaps and areas for improvement. Finding the right stakeholders may vary depending on the size of the organization. Physical security, cybersecurity, risk management, legal, and human resources should be among those who are selected in the program. Each one of these stakeholders brings the necessary resources to the forefront to establish policy and procedures to govern the insider risk program.

So, how can we measure readiness and collect the necessary information to support the insider risk program? 

Employee surveys. These are a great opportunity to leverage human resource partners to help assess the organization's stressors. Developing an employee survey is a terrific way to test the temperature with change and stress within the workplace. Surveys are great tools to help collect information to identify risk.

Security site surveys. Conducting security site surveys is a great strategy to help assess operational risk that can support an insider risk program. The frequency of the critical area tours must be identified so appropriate information can be shared with the monitoring team.

At a minimum, annually assess users’ access to secure areas in the building and secure files on the network, and then adjust as necessary to prevent privilege creep. Employ the principle of least privilege to ensure that a user only has access to the specific data, resources and applications needed to complete a required task.

Information sharing. Should be considered a crucial information sharing strategy because it is an essential element to an insider risk program. Threat management in any organization should include HR, legal, risk management, physical security, and cybersecurity.  Confidentiality and non-disclosure agreements should be reviewed and agreed upon before sharing confidential records, business processes or even an internal tour of a business or plant. This helps to protect company secrets and proprietary property.

Training. Conduct security awareness training, which includes access control, confidentiality, active shooter, and suspicious email topics, at least once a year. Enforce cyber concepts by conducting frequent phishing campaigns. Education is the best prevention.

Data sharing. Communication between systems to provide situational awareness should have priority. The relationship between the physical identity access management (PIAM) systems and cyber-centric security incident event management (SIEM) systems is especially important because we want to establish a holistic view of the environment for the potential threats that surround us.

Remember: it’s not a question of “if” an organization is going to be exposed to malware or ransomware, it’s “when.” Eliminate opportunities for sharing data by banning removable media like thumb drives and securely disposing of hard drives and hard copy documents. Implement a clean desk policy to eliminate temptation for curious eyes. Security tours can help identify compliance issues.

Beyond policies, technology can boost organizations’ detection and response resources. For instance, security teams can implement a log management tool that uses self-learning AI to learn the patterns of the network and users. Those learned patterns help to identify anomalies that could indicate network intruders, malicious user behavior, or network issues and send alerts in real time.

To effectively manage insider risk programs, organizations must cross-functionally share information. This avoids silos and provides an adaptive threat management strategy. By inaugurating these stakeholders together, we increase the insider risk response capabilities, and build a better understanding of ESRM. Equitable tools help monitor cultural norms and meet leadership expectations by keeping the finger on the pulse of the current threat and risk landscape. This provides a cyclic improvement model to advance the organization’s security posture.

Robert Achenbach, Ed.D, CMAS, is the chief security officer (CSO) and senior director, Corporate Security and Safety, at First National Bank of Omaha. Achenbach served as CSO for the past 18 years, and his 30 years of accomplished experience is in risk mitigation and program development within government and private sector administrations. He directed sound consultation to improve security measures, systems, and strategies in the compliant protection of equipment, information, and personnel. Achenbach is a Certified Master Anti-Terrorism Specialist (CMAS) with the Anti-Terrorism Accreditation Board.

Deb Andersen, PSP, CISSP, is the security administrator, Physical and Cyber Security, at MWI Direct in Lincoln, Nebraska, where she manages all aspects of physical and cyber security processes, policies, and training.  She has more than 15 years of security experience, including developing and implementing a global manufacturing company’s physical security and Customs Trade Partnership Against Terrorism (C-TPAT) program, conducting third party risk management assessments, and designing and implementing security solutions for businesses. Andersen holds a PSP certification from ASIS International and a Certified Information Systems Security Professional (CISSP) from ISC2.