Organisations used to define ‘security’ as facility gates and guards to protect employees and premises from intruders.
However, in the digital age, they now have to think in terms of threats that are unseen, global and even internal.
In fact, according to IBM’s 2015 Cyber Security Intelligence Index, 55% of all attacks come from insiders, and result from a combination of malicious efforts and inadvertent actors.
Organisations must adapt their security models to properly counter those threats; otherwise, they risk becoming part of history as an object lesson for future organisations that want to avoid the mistakes of their predecessors.
However, many are at a loss as to how to best create, develop and implement a counter insider threat programme.
The first step is understanding that people using technology are the central issue, not the technology itself. Organisations that look at insiders as primarily a technology problem are building their defences on a flawed foundation.
Underlying every step of the process are the three A’s – advocacy, authority and agility – which truly set apart successful efforts from various kinds of failure.
A programme developed without fully accounting for the three A’s stands at risk of being ineffective and unresponsive to the threats it is meant to protect against.
Turn senior staff into Advocates
Lack of advocacy severely hampers the efforts of the professionals who work to protect valuable information assets from theft and misuse.
Often, when it comes to preparing for insider threats, senior staff do not take the time to listen to what IT professionals are trying to tell them.
They don’t understand the importance of countering the threats so their interpretations of what is actually happening are wildly unrealistic. Perhaps they feel the reality of the problems they face might dampen their careers or advancement potential and the only option is to discount the significance of the threat.
The first thing you can do is get managers to wake up to the current threat environment. The threats are real.
Without management and executive advocacy, the organisation is destined to be exploited. It’s just a question of when.
Advocacy means more than merely giving a nod or politely holding meetings with the team. It means openly stating a position of support to the entire agency and staff while giving the team the resources and time necessary to fulfil their work.
Get authority to Act
One of the most difficult hurdles to overcome when developing a plan is convincing senior leaders to give the head of the insider threat programme proper authority to execute it.
For a variety of different reasons, leaders often withhold authority, wanting to keep the final say on actions to themselves.
The result, however, is that when a threat demands an immediate reaction, untimely or unnecessarily delayed responses create confusion and failure.
Time wasted, in the case of insider threats, results in more data lost or damaged.
The major problem is that, without authority, the response to any threat will not be agile or strong enough to stop or prevent the incident or event.
By withholding authority, senior leaders also often fall into the trap of attempting to manage matters that are beyond their ability or capacity to handle.
Waiting for a senior official to return from leave or hearing they are ‘too busy’ to chat about something incredibly timely and important inhibits every effort to combat insider threats.
When establishing an insider threat program, lack of authority will leave the organisation neutered in countering threats, setting it up for failure and leaving it open to successful attacks.
You must be prepared to react with agility at the first sign that your plans are no longer working effectively.
The first step in planning for any contingency is defining the threat and the target.
That being said, too many organisations fail to realise that they are the only ones who care about definitions.
Attackers don’t care one bit what they are called. If programmes fail to react to a situation because their definitions are in the way, they will inevitably fail to successfully respond to threats to systems and information. Additionally, creating a rigid bureaucracy to support plans is the same thing as purchasing a tool without a defined plan or objective.
Tools provide information, but they do so without context. Bureaucracy creates a framework that can very easily become bloated and an obstruction where agility and speed are necessary.
A good example is what happened to the U.S. Office of Personnel Management (OPM).
OPM said it experienced a ‘cyber intrusion’; others called it a breach, while others called it a hack.
What is significant is that the culprits were inside OPM’s network for at least a year.
Since the attackers were on the inside for so long, was this also an insider threat? The short answer is “It doesn’t matter.” The culprits don’t care what it’s called, because they got what they wanted.
As protectors of their organisations’ information, counter insider threat teams must be ready and empowered to cross any boundary, process, function or internal organisation without hesitation or blockage. You must be as agile as the foe, or you will not survive.
It’s all about people
Insider threats are a people problem, not merely a technology problem. Similarly, building and implementing an effective counter insider threat programme is also about people.
To give countering insider threats the proper attention, you must elevate these out of the IT department and get the C-suite and the boardroom involved.
Attacks are going to happen – to counter them, everyone must work together with no ulterior motives, without being held back by bureaucracy or bottlenecks.
Countering threats to information is a challenge organisations simply can’t afford to lose.
It’s a challenge that can be answered by dynamic and strategic thinking. Just because it’s difficult does not mean that it’s impossible.
Sourced by Keith Lowry, senior vice president and part of Business Threat Intelligence and Analysis team at Nuix USG