Insider risk is one of the most insidious and pervasive cyber risks facing organizations—it is also one of the most underestimated. Unlike the cyber attacks that hit the news on a daily basis, companies keep episodes of insider-caused and -facilitated loss quiet, unpublicized, and unshared. As a result, organizations aren’t aware how widespread this problem really is, and they continue to underinvest in proactive insider risk management.
We, at Stroz Friedberg, see the volume of these insider incidents, and we expected them. We predicted the rise of the “insider” in 2016, and since then we have seen organizations severely impacted by employees, independent contractors, and others who have been given access to confidential company information by the company itself. These insider-caused losses can be maliciously driven by someone who has become disgruntled, or can stem from carelessness, ignorance, or negligence. One common occurrence is the loss of technological intellectual property by employees with a “proprietary state of mind,” meaning someone who thinks that because they built or worked on something, they own it and have the right to keep a copy of it as their own. In 2018, we expect companies will continue to be plagued by insider threats and major attacks will continue to fly under the radar. We believe this assault will continue until companies step up and act proactively.
Addressing insider risk proactively requires a two-pronged approach, one governance-oriented and one technical.
A Caring and Eyes-Wide-Open Workplace
Organizations need to put more care in their hiring, training, performance reviews, and exit interviews to discourage disgruntlement and identify those who may be at risk for executing an insider attack.
When hiring someone, the prospective manager and human resources representative should spend enough time with the person to gain an understanding of the individual, and not just measure their competence. Having some degree of understanding of an employee’s motives, how they think, and their professional goals helps form a broader appreciation of the person and can produce insights as to whether this person is at risk of becoming disgruntled, susceptible to impulsive and self-benefitting behavior, and careless enough to unintentionally compromise the company’s private information.
Caring also generates an organic insider risk reduction and detection mechanism. Thoughtful performance reviews, a genuinely welcoming and hospitable human resources department, and finally sensitive and inquisitive exit interviews all contribute toward an environment in which people are more likely to feel valued, reciprocate with loyalty, and are aware enough of each other to identify if someone could be an inside risk.
Reducing the Risk of Insider Threats through Technology
Technology complements, but does not replace, these soft-skill solutions by providing vision into activities that even the most caring and vigilant people might miss.
Stroz Friedberg’s software called SCOUT™ detects insider threats using the psychology of language. SCOUT™ uses psycholinguistic algorithms and an ontology to detect and measure shifts toward disgruntlement in employee behavior through the analysis of their word choice and how it changes over time. By proactively identifying potential risks that people can then follow-up on and intervene, the technology can function proactively as a preventive measure, helping a trained professional learn the most effective way of responding to a situation and approaching the individual. If an adverse action by an employee can be defused and avoided, not only is the organization better-off, but the employee may be diverted from taking an action that they later come to deeply regret.
Another proactive measure is tightly controlling access to sensitive data on the network, and even going so far as to not allow people to access data that is not integral to the performance of their jobs. What people cannot reach, they cannot steal. Dual control, where two people are required to access high-value data, adds human checks and balances to access management.
Then on the reactive side of the coin, data loss prevention (DLP) technologies tracks the movement of data and alerts members of a human security team if information has been copied or misused. DLP tools are valuable for identifying a problem, but to look at data movement is to look at bullet holes when people are shooting at you. By the time the DLP tool sends out an alert, the person already may have already transferred the files.
In conclusion, it takes time, heart, and technology to proactively protect an organization from insider risk. These risk reduction techniques will not change. What needs to change is organizations’ willingness to invest in them, in an environment in which insider-caused and –facilitated losses are under-reported. Without this investment, another thing won’t change: the continued plague on companies by the actions of their own people.
For more information on the conditions driving this trend and other cybersecurity forecasts, please see Aon’s 2018 Cybersecurity Predictions.