Understand Your Staff: How Insiders Shape Defenses

Enterprises and their staff dealt with a lot of change in 2020. The pandemic and resulting lockdowns forced organizations to allow staff to work from home. This vastly increased mobility, cloud computing and social networking usage; in some cases, this transition occurred before companies and staff were fully prepared.

Work from home (WFH) moved insiders outside of a somewhat managed and monitored environment. In a world where users are on the front lines of security, it has become increasingly difficult to protect organizational assets. Remote employees need to handle changes in devices, applications and network connectivity. They might not be comfortable with the technology. They are increasingly responsible for security and functionality. In this environment, securing the organization is difficult enough, but it is even more difficult when considering distributed employee activity.

The Problem or the Solution?

Security professionals address both old and new threats with layers of security technologies. The reliance on technology removes people from the equation. A technology defense-in-depth strategy can be relatively successful within a defined network. But in a WFH environment, a strong defense-in-depth program requires the inclusion of people and process, in addition to technology.

Historically, users are considered a top security challenge. Attackers know the easiest way to enter a network is to be invited in.  They target insiders using phishing, drive-by malware and social engineering. According to the 2020 Verizon Data Breach Incident Report, over 30% of breaches involved insiders. In addition to being directly attacked, employees are prone to making mistakes that bend or violate security policies.

On the positive side, insiders can be a strong line of defense. The people who work within the organization and its systems daily can more easily identify abnormalities. When educated properly, users can help identify malicious programs and threats.

Types of Insiders

Increased connectivity coupled with reduced network perimeter defenses makes it more difficult to protect organizational assets.  To make it work, people need to be a defensive asset. However, people are not all the same. There is a variety of education, motivations, skills, work functions and technology capabilities. These differences, as they relate to how employees respond within the IT environment, can be segmented into four categories. Identifying where individuals and, ultimately, the entire user base, fit into these insider categories, can allow the organization to focus on those who might be a higher security risk.

  • Citizen: These employees pay attention to abuse policies and regulatory compliance requirements. They attempt to follow the rules, even if they are not fully aware of IT security safety measures. At times, they can be too trusting; therefore, they can be more susceptible to social engineering attempts and phishing emails. They are also often open to security training, and will perform well when given strong guidance and tools. They are willing to adhere to least-privilege policies. Citizens generate few help desk calls. Finally, they are generally not curious about how the technology works. Technology is simply a tool they use to accomplish their work.
  • Nonconformist: These noise makers within an organization are generally impulsive. The nonconformist likes to push the envelope. They are likely to test the boundaries to see how far they can go. They have no intent to do the company or themselves any harm, but can inadvertently violate security guidance. Sascha Fahrbach, cybersecurity evangelist at Fudo Security, believes nonconformists bypass protocols or security policies not with malicious intent, but to complete their tasks faster. Expect nonconformists to be comfortable using social media and mobile computing, but note they also will turn to the corporate help desk for assistance when needed.
  • Rascal: Rascals have strong computer skills. They believe they are smarter than the IT staff. To them, security “…rules are for thee, not for me.” They will jailbreak their mobile devices, use unapproved, cloud-based services or modify applications. For the rascal, information and resources should be freely available. Their actions can result in inadvertent privacy violations. In many cases, rascals can be identified by their actions. Their high productivity and generally positive results means their activities will be tolerated, within certain limits.
  • Rogue: Organizations which have a rogue are generally in trouble. These people, who have expertise in computing and networking, are not interested in improving technology to make work better. Instead, they use technology to enrich themselves. They will steal resources, potentially take information and data and cover their tracks. According to Fahrbach, “A rogue willfully perpetrates inappropriate actions, to the detriment of the organization.”

Make Insiders a Positive Security Asset

IT personnel have limited control over IT resources due to cloud computing, mobility and WFH. This distributed ecosystem means users must be relied on to carry more of the security weight. There is a growing realization that people and policies must become equal partners in the security equation. It is no longer possible to rely solely on technologies – designed to take people out of the equation – by prohibiting activity. Companies must cultivate human assets as a positive IT security resource. The first step is to understand the types of insiders within the network. The second step is to create a culture of safety and security.

Avatar photo

Charles Kolodgy

“Charles J. Kolodgy is a security strategist, visionary, forecaster, historian, educator, and advisor who has been involved in the cyber security field for over 25 years. He is an Analyst with Accelerated Strategies Group and Principal at Security Mindsets. His views and understanding of information and computer security were shaped during his years at the National Security Agency. During that time he held a variety of analyst and managerial positions within both the information assurance and operations directorates. Following NSA is was a a Research Vice President covering security markets for IDC and then a Senior Security Strategist for IBM Security. Over the years he has identified market trends and authored numerous documents to explain market realities and has been a speaker at many security conferences and events, including the RSA Conference, CIO Conference, CEIG, and IANS. He has been widely quoted in the media. He is best known for naming and defining the Unified Threat Management (UTM) market which continues to be one of the strongest cyber security markets with vendor revenue of $3 billion per year. He has been a leading analyst on software security, encryption, and the human element. Charles holds a B.A. in Political Science from the University of Massachusetts at Lowell and an M.A. in National Security Studies from Georgetown University.”

charles-kolodgy has 15 posts and counting.See all posts by charles-kolodgy