The following is part of a series of instalments providing concise summaries of selected chapters from the New York Stock Exchange’s definitive cybersecurity guide, Navigating the Digital Age.
This blog summarizes Chapter 31: A new look at an old threat in cyberspace: The insider by Thomas Fuhrman, President of Delta Risk LLC. Please refer to the original article for any direct quotations.
Whether they realize it or not, people are a major corporate information security risk: they design, build, configure, manage, maintain, and use computers, creating vulnerabilities at every point.
The insider threat is not confined to unwitting users, either. There is also the ‘enemy within’. Edward Snowden’s disclosures have brought this threat home to business executives: if it can happen to the NSA, it can happen to anyone.
What’s new with the insider threat?
In the post-Snowden era, the potential impact of insiders has become more tangible to organizations of every kind, but recent developments have invested more power – and risk – in insiders, making the challenge more difficult than ever. Consider the following:
- The amount of business and personal data that is online.
- The migration of that data beyond enterprise security perimeters through the use of Cloud-based services, outsourcing, Internet-enabled supply chain operations, and mobile devices in the BYOD (bring your own device) environment.
- The increased marketability of stolen data among criminals.
Anyone who has authorized access to information, business systems, email, or other information resources is an insider – including former employees, contractors, business partners, vendors, and suppliers such as Cloud service providers and business application hosting services. Non-employee insiders’ access privileges are hard to manage and easy to exploit. (The Home Depot data breach in 2014, for example, came about through the exploitation of a vendor’s legitimate access credentials.)
The insider threat is usually thought of as having two types: the malicious insider and the unwitting insider.
- The malicious insider or rogue employee represents a small percentage of the workforce (10% of employees account for 95% of incidents, according to Spectorsoft) and uses their legitimate access to deliberately harm the organization. The malicious insider threat is not limited to information systems – other possible methods of attack include physical theft, destruction, violence, coercion, and extortion.
- The unwitting insider, who unknowingly makes security blunders that expose the enterprise to risks, can be almost anyone – including senior executives. Today’s culture of melding the personal and the professional means many people bring personal Internet habits into the workplace, creating serious enterprise security risks as they do so. The unwitting insider is one of the most dangerous weak points in the entire enterprise.
Unwitting insiders’ most common security weakness is a susceptibility to phishing and other social engineering attacks that are used to obtain information. (According to Verizon’s 2015 Data Breach Investigations Report, more than 75% of malware installations were the result of unwitting users clicking on attachments or web links contained in phishing emails.) This highlights a third type of insider:
- The outsider posing as an insider. Such actors seek to exploit insiders by appropriating their legitimate credentials to access the network unnoticed. The unwitting insider is a soft point of entry for such attacks, whether through phishing or other forms of social engineering.
The dimensions of the insider threat
Owing to a lack of detection and discovery, and a reluctance to share information about events, the insider threat is hard to quantify. Nevertheless, recent analysis is consistent:
- There has been an increase in insider threat events in recent years.
- Most organizations have inadequate controls to prevent insider attacks.
- Insider attacks are more difficult to detect than external attacks.
- Non-employee insiders are a major risk, but most contracts and SLAs with external vendors, suppliers, and business partners do not include suitable security provisions.
- Insider policy violations and inappropriate activity are often discovered only when user devices are examined after individuals have left the organization.
- Most incidents are handled internally with no legal or law enforcement action.
What to do
To combat the insider threat, businesses need to establish a comprehensive approach, including:
- Establishing a threat-aware culture of institutional integrity and personal reliability. Provide regular staff awareness training, produce an Acceptable Use Policy governing IT resources, and create a safe environment in which security incidents can be reported without judgment.
- Building a multi-disciplinary program to deter, prevent, detect, and respond to insider threats and to limit their impact.
- Building and operating security controls, including access controls; data protection; configuration management; vulnerability and patch management; and internal network segmentation.
- Monitoring and detecting insider behavior to prevent insider attacks by capturing observable indicators of potential activity before insiders act.
- Developing and regularly testing an action plan for reacting to actual or suspected insider misbehavior.
- Evolving the approach as conditions change.
- Using the many available shared resources to avoid ‘going it alone’. Best practices can be implemented based on other organizations’ experience.
Mitigating the insider threat with best-practice information security management
The international standard ISO 27001 sets out a best-practice approach to enterprise information security that can be adopted by all organizations. Encompassing people, processes, and technology, an ISO 27001-compliant information security management system (ISMS) is tailored to the outcomes of regular risk assessments so that organizations can mitigate the information security risks they actually face – including the insider threat – in the most cost-effective and efficient way.
Certification to the Standard demonstrates to investors, stakeholders, customers and staff that information security best practice is being followed.