Very much like privacy concerns, insider threats may not be the first issue to come to mind when building an enterprise cyber resilience plan. However, they should be. Here is why: because as we noted in the first piece of this series, you want to be able to bend while others break. An insider threat is uniquely positioned to make you break in ways no other threat can.
The Insider Is the Most Feared
In Taylor Caldwell’s 1965 “A Pillar of Iron,” a novel about Cicero and Rome, there is a passage stating how a nation cannot survive treason from within. Below is a play on that passage, showing how the insider can be the most feared threat to resilience.
An organization can survive its fools, and even the ambitious. But it cannot survive deceit from within. A malicious actor outside the network is less formidable, for that threat is known and the tactics, techniques and procedures can, at times, be identified. But the insider moves amongst those within the network and the organization freely, the insider’s sly actions crawling through the network, and even gaining trust of colleagues from within the organization itself. For the insider appears not as a malicious actor; the insider speaks in accents familiar to his victims, wears their face and their arguments, understands the intricacies of the organization’s operations, and appeals to the baseness that lies deep in the hearts of all within the organization …
The insider so dangerous because they know organization’s ways. They know exactly how to hurt you if they are determined enough, regardless of motivation, often driven by one or more of money, ideology, compromise or ego. Few threats have the ability to gnaw away slowly and methodically to the point where your organization comes crashing down all at once.
The Many Ways Insider Threats Can Cause Harm
Think of all the ways a malicious insider can hurt you:
- Infect the system with malware? Check.
- Steal valuable intellectual property? Check.
- Misconfigure a system or leave it vulnerable to compromise on purpose? Check.
- Social engineer colleagues? Check.
- Change results, findings and protections to give you a false sense of security? Check.
- Spread rumors, with a baked-in ‘kernel of truth’ to give off a sense of credibility, but with intent to damage the reputation of the organization? Check.
It is hard to find another single threat that can cause so much damage at one time. The insider needs time, determination, patience, reconnaissance, knowledge of inner workings and knowing when to strike. These qualities differ little from nation-state actors and their advanced persistent threats (APTs).
In essence, the successful insider is the black swan event: the low probability, high impact event. If you think it cannot happen, there are a few government agencies and large enterprises that may think otherwise.
So, how do we minimize risk from insiders? Well, it is a matter of both carrot and stick. Going too far one way can have the exact opposite intent and create an entirely new breed of insider threats you never planned for in the first place. Therefore, balance your reaction based on awareness, culture, operational needs and, of course, risk tolerance.
Turning the Insider Into a Partner
The insider threat that is lazy, clumsy and stupid is not your worry. Yes, they could cause damage along the way, but won’t do a lot of harm. For insiders like this, you will likely turn to technology and automation to detect odd behavior. And the tech will likely do a good job. All of these protective actions fall within your identity and access management, data loss prevention and your user behavior analytic strategies.
When it comes to insider threats, these solutions are actually the ‘easy’ ones. They require:
- Leadership support
- Financial support
- People support, to both deploy and maintain
- Patience, for training and configuration
- Staying up to date with current trends.
Of course, you understand why the word easy is in quotes. But with real support and some good frameworks and guidance, you can make some major progress protecting against insider threats.
The ‘hard’ solutions are much less focused on tech. Instead, they focus on culture, emotions, awareness, incentives and even discipline. Therefore, improving your cybersecurity and organizational resilience posture requires turning prospective and even active insider threats into partners. Put another way: give them a reason not to become a threat.
Empathy May Be the Key
Some employees love their job so much they’ll go through a wall to protect the company, no matter what the sacrifice. They are true believers. Others may just be there for the paycheck, know what the gig is all about, will go through the motions and, if it does not work out, they’ll move on to some other place. Perhaps not the best employee, but not exactly a threat.
Then there is everyone in between. This is the group to be concerned with, as instances and emotions can affect them in unknown ways. Someone you had for 20 years may suddenly feel slighted, and all that pent-up energy will be directed at their workplace.
The key: never make your staff feel cornered and alienated. Make them feel valued and part of something more. If you sense something is off, have the people skills to be able to reach out to them. Empathize. Remember, cybersecurity is not, and can not, be just about tech skills. Respect their privacy also. Keep in mind, an employee will not take any harmful action unless there is a reason. Try to make sure to limit or entirely get rid of those reasons.
Approaching the End of the Line
We present this series as a journey because security and resilience decisions and actions cannot be made in isolation. Our speed of light business efficiency has created a whole bunch of dependencies that we did not calculate well for. Remove those dependencies and suddenly everything comes to a screeching halt.
One last stop on our journey – a total polar opposite from insider threats – focuses on geopolitical pressures.