The month of September is designated “National Insider Threat Awareness Month,” and based on the number of cybersecurity incidents that involve employees, perhaps every month should be insider threat awareness month.
Insider Risk Summit
This week at the Insider Risk Summit, industry experts shared their thoughts on how to mitigate insider risks with discussions about strategy, applications and process, procedures and perspectives. Most presentations were heavy on how to ‘peel the onion’ of insider risk; wrapping old issues in new paper and ribbons and with a lot of emphasis on monitoring one’s employees. The topic has morphed from “insider risk threat” to “insider risk management”–no doubt due to the number of times risks have been realized as threats.
In his opening keynote, Code42 CEO Joe Payne mentioned that his company’s surveys showed that the vast majority of departing employees take intellectual property with them on their way out the door. Payne noted that they weren’t shy about admitting it, either. “Most employees openly admit they take important company data with them when they quit,” he said.
Elsine van Os, CEO of Signpost Six, looked at the other side of the coin. In her presentation on departing employees, she emphasized the importance of making a real, holistic investment in employee retention; that it is time and effort well spent and greatly reduces employee churn/departures.
Industry Perceptions of Insider Threats
Outside of the summit, industry experts weighed in on the issue.
The CEO of Minerva Labs, Eddy Bobristky, said “The number one concern for an organization of any size, regarding the topic of insider threat, should be the ‘displeased employee’ who takes actions that could lead to a serious security breach or leak.”
David Bradbury, chief security officer of Okta, noted, “If the past year has taught us anything, it’s that leaders must recognize that people are the new perimeter. They must move toward a zero-trust security model and adopt strong authentication across all services, everywhere—from on-premises to cloud to mobile—and for employees as well as customers, partners, contractors and suppliers. This means ensuring that the right users have access to only the resources they need and at the right time. A critical best practice in any industry is to leverage identity as a foundational technology across the security stack.”
Ryan Weeks, CISO at Datto, added, “External threat actors, more often than not, leverage the credentials of your employees and systems to conduct their activities post-exploit. You will see this described as ‘living off the land’, which is a simple way to say that threat actors will use the accounts, access and tools that are already resident in the network to facilitate a breach once they gain a foothold. To me, all this really means is that if you’re not already building a threat monitoring program that is capable of deterring, detecting and responding to suspicious activity under your employee accounts, then you have neither an effective insider or external threat monitoring program. They are two sides of the same coin.”
Employees: Both the Strongest and Weakest Link
The employee is the strongest link in the chain who may quickly become the weakest link.
Investment in training and awareness is key for all entities, big or small.
Likewise, onboarding and offboarding provide two key events where these messages should be embedded. For the new employee, it is about setting expectations; ensuring they understand what is permitted and isn’t, how to triage situations and how to report anomalous behavior or events. For the departing employee, exit interviews, review of activities, attestation of no intellectual property retention and revisiting contractual obligations as applicable, are wise investments.
While this serves to bookend the employee’s tenure, it’s also important to revisit these policies throughout their tenure in the moment of engagement when information is mishandled to reduce the likelihood of inadvertent compromise.
The threat posed by insiders isn’t going away any time soon. The key is to avoid having that risk turn into a realized threat.