Risk Management and Insider Threats
Risk management is a term bandied about by a lot of experts. It’s critically important, of course, but it is also a catch-all for security terms that may not seem to apply directly to immediate, regulatory security.
So, when insider threats come up, it becomes challenging to parse out how security and risk help address the issue. Here, we will discuss how simple approaches to risk management can start to address insider threats.
What Is an Insider Threat?
Insider threats are security events where a party internal to your organization facilitates data theft, unauthorized system access, or other issues. This internal party can be an employee (current or former), a contractor or a vendor that works with your organization and has access to sensitive information or resources.
An insider can literally be anyone with access to your systems. This includes any combination of the following parties:
- An employee with physical access to information in a local office building.
- An employee (current or former) with digital access to IT systems who can steal this information as they want.
- A third-party contractor who has been provided access to system resources as part of the scope of their jobs.
- An executive who has intimate knowledge of system security or information.
These insider threats are within an organization. Unlike an external attack or phishing attempt that attempts to pry information from your organization, an internal threat is a problem specifically because the threat is someone the organization more or less trusts with system access. A threat may have advanced knowledge of internal systems or elevated access and privileges around organizational data.
How significant are insider threats? Imperva and Forrester released a report showing that almost a full quarter of the most notable breaches of 2021 were related to “human error or compromised credentials.”
Furthermore, organizations facing insider threats often report that they don’t have a plan to deal with insider threats. A full 70% of polled organizations in the report state they don’t have an insider threat risk strategy.
How Does Risk Play a Role in Identifying Insider Threats?
According to the Cybersecurity and Infrastructure Security Agency (CISA), organizations must manage insider threats as part of their security obligations. While CISA primarily refers to contractors working with government agencies, it isn’t incorrect to say that in a world of interconnected industrial systems and wide-ranging industrial espionage, risk assessment isn’t a necessary part of security for most organizations.
Risk assessment is a critical part of mitigating insider threats, specifically because insider threats are often difficult to locate. Unlike technical security flaws where gaps can be identified, cataloged, mitigated and monitored, insider threats are often insidious and difficult to follow because they deal with complex human factors.
More importantly, risk management can give your organization a comprehensive view of the potential threat landscape related to insiders. That’s because insider threats can come from several angles:
The most common warning signs of insider threats are related to personal actions that often fly under the radar.
Some common patterns that can denote the potential for insider threats related to individual actions include:
- Personnel frequently violate rules related to data security or compliance. These violations might include unauthorized data access or attempts to access system resources outside of job scope, followed by excuses around those access issues.
- Sudden drops in performance. Personnel suddenly struggling to accomplish simple tasks may be either working on other unauthorized activities or facing personal issues that may push them to seek financial or emotional reward through the sale of stolen data. This can include a loss of job-related projects or sudden interest in unrelated projects.
- Personal issues that could lead to vulnerabilities. Individuals going through a divorce, blackmail, sudden financial loss or other issues are often susceptible to seeing insider theft as a viable solution to their issues, either through personal gain or sale to political actors.
Insider threats can be limited to the personnel, but these workers will often need to implement technical measures to support their activities. As such, measuring these technical issues can help denote the presence of an underlying insider threat.
Some of these issues include:
- Sudden changes of access credentials. A user may suddenly alter their passwords around access credentials wholesale, or attempt to alter permissions around those credentials, can demonstrate upcoming attempts to access systems.
- Installation of malware. An insider with access may have the ability to install malware into their IT infrastructure under the radar of ongoing monitoring.
- Repeated attempts to access unauthorized data. Audit logs can show that users will attempt to use their credentials to access data or resources they don’t have permissions for.
- Remote access. These insiders will repeatedly attempt to access system resources remotely, from multiple devices, without a reason as to why they would do so.
How Can an Organization Manage Insider Threats?
There are a few ways in which risk management can help your organization better understand the risk of insider threats. Still, it requires an honest and comprehensive look at the potentially affected systems.
Some basic approaches to implementing risk management as part of an insider threat policy include some of the following:
- Holistic, people-focused monitoring. Your risk policy should include processes around auditing employee activities–what they access, how they access it, etc. Furthermore, alert systems should be in place to raise red flags around how employees access data, including activity monitoring. Furthermore, understand your people with potential weaknesses that can be leveraged against them. Notice warning signs around activities, lack of performance and so on.
- Integrate monitoring across business functions. Insider threats can come up at nearly any place in the organization. Security and risk assessment must extend beyond IT systems and those with direct access. Your risk policy should include a way to identify issues as they arise over different business functions.
- Clearly inventory resources. Data assets, time assets, data transaction volumes and other factors related to system resources can all provide insight into insider threats as they unfold. Large data transfers, longer sessions accessing sensitive information and other markers can signify potential threats.
Risk Management and Security with Continuum GRC
The best way to approach risk management is to incorporate it into your overall infrastructure. Risk mitigation for insider threats should be able to touch on multiple infrastructural assets to compare existing technical controls, activity audits, personnel, and performance issues against security and compliance requirements.
If you’re interested in a standards-based approach to risk with supportive visualization technologies and a bird’s-eye view of your situation, work with Continuum GRC.
Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.