You are put at risk by various types of problematic insiders – many of whom are not intending harm. Disgruntled employees may be acting out; they may be "second streamers" looking for additional income; departing staff may be an issue; they may be poaching intellectual property; or it may simply be negligence or poor judgment.
There are various reasons that the insider is not addressed as readily as the outsider threat. However, research has shown that the insider is of increasing concern.
Three security incidents per week
A study released in 2018 revealed the insider was the cause of 58% of healthcare breaches. The study did note the outsider threat was still the largest issue across all sectors. Of the organizations assessed, 27% of attacks were from insiders, versus 72% from outsiders.
My point is that the insider is becoming the top point of focus for the near future for security teams. That argument is driven home by a recently-released poll showing how critical this particular issue is becoming to leadership. Two hundred security executives at organizations with 1000+ employees were surveyed by Vanson Bourne on behalf of post-hire screening firm Endera. Nearly half those polled (44%) indicated they did not know about internal issues until they were revealed by incidents. What's more, the majority (55%) said their organizations were having difficulty bringing down the number of attacks. The truly troubling number is this, though: on average, per company, there are three attacks every week.
Past challenges mean continuing threat
To present, insider threats have not been properly addressed – partly for the simple fact that they are internal. It's awkward. It involves self-reflection, self-analysis, and self-criticism, even if it's constructive.
Common ways the insider threat is not approached correctly – looking at ideas mostly from another industry deeply concerned with protecting information – defense – include the following:
Failure to recognize it starts with hiring - We have all been aware for some time that it is not easy to find skilled cybersecurity pros to hire. The core strengths you need are not cookie-cutter: some will be more curious, some more skilled at communication, and some better at finding solutions to pressing challenges. Respecting the individual needs of cybersecurity employees, and the different ways they tick, will help you develop security-friendly hiring policies for your entire workforce.
Not investing enough in training - Understanding the complexity of hiring helps set you in the right direction of acknowledging the threat posed by each individual. It is also critical to have a training process that addresses the threat throughout your system.
Training sounds boring, but it doesn’t have to be – especially when you reconsider the way you train in light of Howard Gardner's theory of multiple intelligences. Those are logical-mathematical, linguistic, interpersonal, intrapersonal, musical, bodily-kinesthetic, and visual-spatial.
It may sound "soft," but by recognizing the various ways people learn, you can incorporate broader strategies. The sound you use, the motion you use, and the visuals can all be diversified and updated to engage everyone.
Focusing strictly on monitoring data - Along with data, you also need to think in terms of user behavior. Focusing on data gives you information about authorized access to certain actions. When you focus on users, you can note when a certain user enters an area that is off-limits to them or who otherwise behaves in a manner beyond acceptable-use policies.
Failure to consider the insider threat within a partner - Beyond the above concerns, due diligence in choosing partners is also important related to the insider threat. Although those organizations are external, they should have sufficient policies in place to address this key source of risk. The insider threat should be addressed in a systematic manner, with policies applied both internally and to your assessments of outside services.
Looking for the enemy within
If you have followed the advice to keep your friends close and your enemies closer, then you may have a problem: while some insiders are malicious, others are not. Even among malicious insiders, there will be different characteristics and different specific motives that direct their behavior.
Properly addressing the threat from the insider who walks your halls every day involves treating that individual with the same focus and clinical care with which you treat the threat of an external saboteur.