To protect against insider threats, focus on people, process and technology
To protect against insider threats, how can people, process and technology be best set up to mitigate the risk from employee behavior?
Published January 9, 2015When it comes to protecting against the insider threat, too often overlooked (often critically) is how people and process should be set up to mitigate the risk from employee behavior. Such behavior that often causes or aides security breaches.
The notion that IT security is a combination of people, process and technology is nothing new. The triangle is typically invoked to claim there is more to consider than just a tool — it’s not just the tool (the technology), but it is the process of implementing it, and the people involved.
Despite arguments to rebalance this "golden triangle" the pragmatic view still points to the validity of this statement.
The traditional approach is to have a written security policy that new starters in the organisation get given and that sits on the company intranet. That is the basic level, yet IS Decisions research found that only 29% of IT professionals even have this in place for staff to adhere to.
However, even when security awareness training is complete, it often misses the "why." It's important for the whole team to understand the reason these policies are in place.
Even if you do have the basic written security policy, it is one thing having it there and available, but quite another getting employees to take any heed. Your employees are a huge security threat.
Any data leak from your organisation is far more likely to come from an ignorant or careless user who is easily convinced to share their password or a victim of social engineering than it is through a complex system hack.
Investments in technology and solutions are wasted if people and process are not seriously considered
The reality is that both organizations and individuals are still guilty of not doing the basics to mitigate the risk. One typical example from our research is at least one in three employees who leave an organization still have access to the network after termination. If people and processes aren’t doing the basics, you can forget about spending time and money on more complex technology.
Security has to be a balance of technology and organizational culture. Fortunately technology can be used to address culture by helping to educate users and encourage good behavior. An example of this would be reminding users of policy at opportune times, like when they are accessing the network outside of normal working hours.
Technology in isolation is not a silver bullet, but it can be used to address process and people’s behavior, knowledge and attitudes.
There is benefit to adopting a zero trust policy. Especially when your users are poorly educated and bad behavior like password sharing is common. If you set up restrictions on network access that force users to act within the limits of your security policy that should come with education on why those restrictions are in place. Once users understand not only what the restrictions are, but why, they will be more empowered to follow them of their own volition.
This type of informed employee is an important line of defence. With time an informed user can then help protect the corporate resources that are entrusted to them. An example of this would be notifications that alert the user themselves on when their own network credentials are being used.
With stolen or compromised account credentials responsible for several massive data breaches, who better than an informed employee to judge whether an access attempt is normal or part of a compromised attack?
Whether the CSO sites on the board with the CIO or not the important thing is that security is a priority from the very top of an organization down. The CIO and even the CEO should see security as part of their responsibility. We have seen recent examples such as the SEC lawsuit against SolarWinds CISO and the company, which should serve as a red flag for all C-level executives that the responsibility for security does not stop at the door of the CSO or even CIO.
A written policy for staff to adhere to, which a surprising amount or organisations won’t already have, is the first step. Explaining why you have a policy in place and be transparent about the risks it addresses will help staff understand its value and importance. But your policy must be evolving just as technology is evolving, and you need to evolve your users’ education too.
Technology can help you remind users of policy, update them on why it exists and why it may be changing.
CIOs can educate users on the security policy by working closely with other departments. HR in particular are well placed to identify potential internal threats as they are most likely to be aware of potential disgruntled employees, can keep better track of new starters and employee terminations. They are at the heart of the employee structure.
In terms of technology, CIOs have the power to effectively mitigate threats and reduce the attack surface of an Information System by setting a network on a ‘need-to-know’ and ‘need-to-use’ basis. This will ensure each user within a company only has access to pre-authorized material.
The good news is, organizations are waking up to the importance of internal security. We're all gaining a better understanding of how to stay secure online in both a personal and a work capacity.
In future, the average desk-based employee will hopefully be better educated on security. Security technology will play a big part in this but so will media, culture, and education. We will still need IT solutions to secure data and networks in enterprises, but this better user understanding should help its effectiveness.