October was National Cyber Security Awareness Month (NCSAM), and this year’s theme was ‘Our Shared Responsibility’, reflecting the notion that cyberspace cannot be secured without the help of all users. ‘Creating a culture of cybersecurity at work’ relates closely to what is most organizations’ weakest link – its employees. The fact is that many, if not most, security breaches involve internal users, and this risk is known as ‘insider threat’.
In the interview that follows, two experts in the area of insider threat were asked to provide some insight into what it is and how it can be defended against. The first is François Amigorena, President & CEO at IS Decisions, a solutions provider specializing in securing internal user network access, that works with big name organizations including Barclays, Dell and US Department of Justice. The second is Greg Cullison, Senior Executive of Security, Suitability & Insider Threat Programs at Big Sky Associates, specialists in helping federal and commercial organizations mitigate threats. François and Greg discuss how understanding insider threats plays an important part in creating a culture of cybersecurity:
Q: How would you define insider threat?
GC: In our industry, insider threat is essentially any threat that relates to information on the network, and it could be either a malicious act or due to just plain negligence. Insider threat can follow three channels. The most common is the employee who has legitimate access to the system and data as part of their job. Then there is the outside worker who is temporarily contracted to do a job within the company. And finally, there is the ‘outside insider’ who has gained access to the network through the acquisition of passwords or a lost device such as a laptop or USB stick.
FA: People frequently only consider the malicious element of insider threat. The employee who has an axe to grind and access to the organization’s sensitive data. This is obviously a significant risk, but the more common occurrence comes from human error. Employees sharing passwords, following bad security practice. This leaves the organization wide open to social engineering tactics, whereby an outsider could gain access not with clever hacking techniques but by tricking a user into sharing access. Culture and training is obviously key to tackling this, as well as technology.
Q: What kinds of information might be targeted?
GC: If you look at it from a data perspective, every organization has some type of data that makes it unique – this could be a customer list or a business strategy – anything that has economic value or is a financial driver. So no organization is immune from insider threat.
FA: Think about all the files and folders that are stored on your organization’s internal network – any part of this information could become a target. Putting security measures in place that will track, monitor and restrict data access and movement is therefore hugely valuable. If there aren’t any protocols in place for when a breach happens, by the time you find out about it it could be too late to recover or even minimize the damage.
Q: How can companies protect themselves from threat?
GC: Training is as important as is having the right security software in place. However, there should be a collective responsibility in protecting company information. This is where we bring in process improvement. Our strength is in process improvement projects where we look at what has been missed. By uniting processes and merging functions you can address issues more effectively. For example with IT and HR working together, you can have a policy in place to monitor an employee who might have been flagged as having grievances or performance issues. Organizations should get all the right stakeholders in one room to really understand what they are trying to achieve in terms of security and from there create a robust insider threat program that is part of the business process.
FA: At a more granular level, you can set and enforce rules to restrict and control user logins as well as access to specific files and folders. Preventing or limiting concurrent or multiple logins is one such restriction that will reduce what’s called the ‘attack surface’ – the sum of vulnerable points open to a breach. Monitor real-time access across the network on all sessions including Wi-Fi and VPN, and record and audit who was connected, from which system, since what time and for how long. This will help flag anomalies in individual usage, which will help you see and respond to potential breaches in advance, as well as provide an audit trail to minimize damage in the event of a breach.
Q: What role does training play?
GC: Training is a staple in every organization. But often after employees go through security training, they sign a form and the task is done. This is not enough – companies should follow up on training because here is where the danger lies if there are no reminders. Organizations have to understand what they need to achieve and then set policies in place to meet these objectives. Repeated training can be quite boring and attendance is in no way a measurement of effectiveness. So training needs to be part of the overall process improvement so we recommend exercises with employees where someone poses as an insider and does activities to really test out your system.
FA: Training and software solutions are both important but in order to create a culture of cybersecurity, they must work together and not be treated as separate tools. Most insider threat breaches are down to plain human error but you don’t want your staff to think that the software solutions are there as part of a witch-hunt. It is important to educate them on why the tools are there, how they work and how employees can proactively be a part of the process that helps safeguard company information. On the other hand technology can help with the training process, by giving users reminders of policy ‘in situ’, for instance if they are trying to login from a new device. It can also provide a more engaging way to educate employees, IS Decisions’ ‘The Weakest Link’ is a fun free online game we created for users to play, testing their security awareness.
Q: Many industries work under regulations with regards to internal security, how do you think organizations in these industries view compliance?
GC: In the US, there is a lot of regulation and in industries that have personal and public involvement like in healthcare, it is taken very seriously. New malwares are being written everyday and from a legal perspective, organizations can often say that they were compliant in line with government regulations but that does not necessarily stop a breach. Media coverage on beaches also gets organizations to take notice of compliance because if there is a breach, they don’t want the same thing to happen to them. Talking to organizations about compliance and risk in terms of revenue losses helps them relate to it better. So most organizations meet regulation needs but they should do more than that – they should make risk management part of the whole-company strategy. Everyone should know what to do in the event of a breach.
FA: Most regulated organizations view compliance seriously and take all the necessary steps to meet the industry-set criteria. However, when you see a case like the one earlier this year when hackers infected a Chinese restaurant's online menu with malware to target employees of an oil company, it shows that a threat can come from anywhere. You then start to think about combining different risk procedures that will help protect your employees and your company information more effectively. As technology continues to evolve, threats will evolve alongside it. Organizations need to realize that there is no longer a ‘one-size-fits-all’ solution – even for regulated industries. Creating a culture of cybersecurity within and for your employees is paramount in helping to safeguard your company against insider threats.