Saryu Nayyar is CEO of Gurucul, a provider of behavioral security analytics technology and a recognized expert in cyber risk management.
Any organization is susceptible to insider threats. While we commonly think of some kind of cyber exploit where sensitive data is stolen through the ether, an insider threat can be anything from a physical security breach to a cyberattack. Companies should plan and prepare for the entire range of possibilities and put the means of deterrence in place.
Here are examples from opposite ends of the spectrum—one a physical theft, the other a cyber incident—yet both were damaging to their respective organizations.
The Iranian-American engineer Mozaffar Khazaee was convicted of attempting to steal sensitive military information and ship it to Iran. Khazaee had been an employee of the defense contractor Pratt & Whitney, where he acquired information about key military technologies. He was caught shipping technical manuals and other trade secrets to contacts in Iran, violating the U.S. Arms Export Control Act. He was sentenced to more than eight years in prison.
Spear phishing attacks led to the overtaking of legitimate employee accounts at the social media company Twitter. Hackers used compromised credentials and administrative tools to usurp the accounts of famous Twitter users like Barack Obama, Elon Musk and others. The attackers deployed a scam to collect bitcoin payments into accounts they controlled and, as a result, negatively impacted Twitter’s stock value.
Cyberthreats get board-level attention these days, but the potential for physical (or “offline”) insider threats should not be ignored. After all, they have existed since well before there ever was a cyberspace. Organizations that want to protect themselves from all angles would do well to develop a holistic insider threat program.
Getting Started
Start with executive sponsorship. An insider threat program would fall under the purview of a senior executive with corporate risk or security responsibilities—a chief risk officer (CRO) or chief security officer (CSO). This leader should garner the full backing of the board or the executive leadership team to institute and maintain a formal program to reduce risk to the organization.
Once approved, the program should be led by a small, neutral team with enterprise-wide responsibilities. Ideally, the team holds no biases toward any particular group in the corporation, for example, favoring the IT group and focusing solely on technology-based risks. The holistic program must cover the total risk landscape, including the physical world, the cyber world and non-security indicators that bring context to risk.
To learn who and what are most at risk, it’s important to identify the company’s critical positions and assets. People in key roles can be targeted for phishing attacks, leading to account takeovers. Workers with assigned access to sensitive or proprietary information have keys to the kingdom that are worth watching.
The program must identify the potential perpetrators in order to build the right defenses. Traditionally we think of insiders as regular employees, privileged workers like system administrators and executives who have heightened access to important information—also, third-party workers and supply chain partners who have access to facilities and systems. But these days, an insider can be someone who has purchased or stolen a legitimate user’s credentials to gain access to computer systems and applications, as in the Twitter example above.
Education and awareness increase cooperation and support. It’s important to condition, train and educate the workforce about any fledgling program, letting them know that the program isn’t trying to “catch” people misbehaving. Rather, the program exists to protect the company and workforce from being victimized. The message should be delivered in a gentle way to cultivate cooperation.
Strong relationships are critical.
Build relationships with groups both inside and outside the company to help with the efforts to deter, detect and mitigate insider threats. Key internal groups include human resources, ethics and compliance, legal, employee development, the business units, physical security, information security, corporate investigation services and the privacy program.
Outside relationships are just as important with groups that include law enforcement, government agencies like CISA, threat intel providers, technology vendors and peer organizations.
All these groups are necessary to provide essential elements of the program, including policy guidelines, legal advice, indicators of compromise, threat and risk analysis, systems and user activity data, contextual information, employee training, investigative services and more.
Technology is a force multiplier.
Technology plays a big role in detecting suspicious activity that could be indicative of an insider threat or full-blown attack. Several types and layers of technologies are necessary to thoroughly monitor the enterprise, detect threats and calculate risk.
For example, logging tools are required across the enterprise to capture system and user activity data. A cloud-based data lake is needed to store such a vast amount of data. Data loss prevention (DLP) tools watch for improper movement of data. Privileged access management (PAM) tools monitor and control what people with heightened access permissions can do. Tools like a security information and event management (SIEM) platform collect, correlate and analyze data from a wide variety of sources. To determine which tools will best assist your company’s security needs, it is best to consult security operations, security architects, governance risk and compliance management and executive leadership.
On the physical security side, video surveillance, access control locks, perimeter detection systems and other devices can help detect unauthorized activity.
The key with any technology is to collect as much data as possible from as many sources as possible and correlate it to see if there are any anomalies that point to a potential threat.
Even at that, some contextual data may never be in digital format to feed into a tool. For instance, the HR department may have highly sensitive written documentation on employees that is pertinent to a threat investigation, such as information from a criminal background check or records of substance abuse.
While you should use technology tools to collect data and do analytics and risk scoring, a professional investigative body should perform the actual threat investigation. This could be HR, the ethics and compliance group, a corporate investigation services team or the like.
With the proper plan and technologies, the risk of insider threats can be minimized.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
