Samuel Greengard, contributing writer for CIO Insight, October 15, 2014
Insider threats aren’t going away anytime soon. Unfortunately, most businesses say they lack the ability to detect or deter them, nor are they adequately prepared for how to respond.
Over the last few years, especially in the wake of former contractor Edward Snowden’s disclosures about the National Security Agency, cybersecurity has emerged as a huge concern for CIOs and other senior-level executives. But behind the headlines about outsiders engaging in hacks and attacks, there’s the sobering reality that many incidents center on employees and other insiders who unintentionally engage in negligent or risky behavior or intentionally set out to perpetrate financial fraud, intellectual property theft or damage systems.
It’s not a small problem. “The biggest threats, both intentionally and inadvertently, are related to the spreading of information, says Ryan LaSalle, managing director at Accenture. “Intentionally, this can mean siphoning customer details, intellectual property or insider trading. Most inadvertent threats are related to accidental leaks of project or proprietary information.”
Jonathan Gossels, president of security consulting firm Systems Experts Corporation, describes insider threats as “a problem that evolves and changes, but never goes away.” In fact, according to a recent survey of 355 security professionals conducted by mobile software firm Spectorsoft, 61 percent of respondents believe that their firm lacks the ability to deter an insider threat. Meanwhile, 59 percent admitted they do not have the ability to detect an insider threat, and 75 percent stated that they cannot detail the human behavioral activities that comprise an insider threat.
The Biggest Threats
LaSalle says the stakes with insider threats has changed over the last decade. The biggest threat used to be an employee or contract worker walking off with a laptop or using a USB drive to steal a limited amount of data. Now, insider threats revolve around stealing an entire credit card database or millions of personal records.
“Insider threats have become more sophisticated and difficult to detect,” LaSalle says. Part of the problem is that malware is now often designed to look like a legitimate user and thereby stay under the radar of IT and security workers. The result is that it’s more difficult to differentiate between a person and a piece of software using a person’s credentials. In addition, the popularity of social collaboration has made it easier to share information, leading to a rise in inadvertent threats, LaSalle says.
Frequently, experts say, organizations have systems in place to log activity, but lack the resources to audit and monitor all the online transactions. In fact, the Spectorsoft survey found that 61 percent of respondents do not believe their organization is adequately prepared to respond to insider threats. Among the most common challenges are a lack of training, insufficient budgets, a general perception that threats aren’t a priority, a lack of staffing, and technology that doesn’t match the challenge.
Assembling the right combination of technical and practical controls is paramount. Gossels says organization must focus on hiring practices and background checks; provide education and training at all levels of the organization, from entry-level clerks to the CEO; conduct detailed audits; and balance the need for surveillance and controls with the real world of people getting their work done quickly and efficiently. “One of the biggest mistakes CIOs and other executives make,” says Gossels, “is introducing security controls that are so onerous employees look for ways to bypass them through rogue applications and unauthorized processes.”
In the end, Gossels suggests using acknowledged standards, such as ISO 27002, and turning to top-notch resources, such as Carnegie Mellon University’s CyLab Research page, for the latest cybersecurity news and information. LaSalle says CIOs can mitigate risks by understanding how to identify the difference between normal and risky behavior. “Adding visibility at the application layer can help identify usage patterns and outliers,” he explains. “From there, connecting teams that understand the application with teams that know user behavior can provide a better idea of what is being seen and how this may affect the business.”