To Determine Insider Threat Risk, Chart It Out
Insider threats are a big problem, but you probably know that. And, consequently, the more people you have with access to your network and data, the bigger your attack vector becomes. While the negligent insider is the cause of most cyber incidents—according to Ponemon Institute, it’s about 64%—malicious insiders are a major threat to company security. And that risk is growing, especially credential theft incidents.
Insider threats are a big problem in part because they are so difficult to detect and prevent. Your security system is set up for outside actors trying to break in, but insiders are already in and they already have credentials to access all types of data and assets. So maybe it is time to look at the cause behind insider threats a little differently, which is what Nick Cavalancia, Microsoft MVP & chief tech evangelist, did in his talk at SpiceWorld 2019.
Insider Behavior Is About Intent
Malicious insider behavior is all about intent, said Cavalancia. There is a reason why someone has decided to create risk for the company. Sometimes it is because an employee has perceived a wrong and is angry at the organization, so they are out for revenge. But often, it is a shift in the insider’s life circumstances that leads them to stray outside their normal behavior. But no matter what the intent is behind the malicious behavior, it is difficult to catch because nothing looks out of the ordinary for a long time; the employee appears to be doing their job. That’s why it is important for security and leadership to take a proactive approach to recognize and address the malicious insider.
Risk Is Always Shifting
That won’t be easy because the risk is always shifting because our lives don’t remain constant. Employees will suffer financial hardship, personal and emotional situations, shifts in loyalty in the workplace or will be affected by office gossip and rumors. Technology isn’t going to help discover risk before an insider event takes place, so Cavalancia recommended following the Fraud Triangle to help identify risk factors:
- Motivation. For example, someone in the employee’s family was diagnosed with cancer or was passed over for a job promotion.
- Opportunity. The employee has work-related access to databases or financial records that can be manipulated or searched without anyone knowing.
- Rationalization. They find excuses for their behavior: they deserved the promotion or the raise.
This isn’t to say that every employee going through a change in circumstance is going to become a malicious insider, but you never know when circumstances will push a person to the brink of doing something outside of their character. It’s why Cavalancia stressed risk from insiders is always shifting.
Create a Risk Assessment Chart
How do you recognize potential insider risk? Cavalancia provided a risk assessment chart that will define the risk level of any employee. The assessment should include:
- Assign a risk level based on position/role in the company, the department they work in and what they have access to.
- Conduct a risk evaluation survey. This will include both objective and subjective questions. Objective questions would include information about job-related network access, the type of supervision they have around this access or the amount of time spent working remotely. Subjective questions are to learn their understanding of risk, such as if they know competitors who would want company data, how device theft would affect the organization or whether they know the amount of harm they’d cause if they sold or shared data.
Based on the responses and risk level, each employee is given a risk assessment score to determine their overall risk. The scores won’t be absolute, but it will provide a guideline to help understand how much of a threat the insider could be. Once the score is determined, you can then set up technology to monitor the user’s potential shift in behavior. Low-risk users could be observed via an SIEM solution or behavior analytics, while a high-risk user would require real-time monitoring.
No one expects their employees to cause harm to the company, but dire and unwelcome circumstances change people. Insider risk levels will always be fluid. Understanding which insiders are most likely to be a threat in adverse situations will help organizations take proactive steps to prevent being victimized by a malicious insider attack.
