Building Insider Threat Awareness into Security Awareness – Part 2
In part 1 of the post on how Insider Threat Awareness is a vital component of Security Awareness, I talked about the different types of insider threats and some of the steps that security teams can do to protect themselves and educate employees.
This week I want to explore whether that is enough and some tips for how to approach introducing Insider Threat Awareness training in your organization.
To recap, at a high level here are some of the things security organizations can do:
- Use User and Entity Behavior Analytics (UEBA) to monitor behavior and actions
- Control user access and use two-factor authentication
- Have fewer privileged users
- Create a security culture of awareness
- Know your users and watch for behavioral changes
- Perform background checks on all users
- Educate employees about security
- Address cyber security in SLAs
Is this enough?
In a white paper (well worth reading in its entirety) about insider threats in nuclear security systems, the American Academy of Arts & Sciences (AMACAD) noted that there are deep organizational and cognitive biases that lead managers to downplay the threats insiders pose to their nuclear facilities and operations. Could insider threats be the elephant in the security room? Some of AMACAD’s findings are broadly applicable to many organizations and several may prompt you to re-evaluate your insider threat strategy:
- Organizations that consider their staff to be part of a carefully screened elite can lead management to falsely assume that insider threats may exist in other institutions, but not in their organization.
- The belief that personnel who have been through a background check will not pose an insider problem is remarkably widespread—a special case of the “not in my organization” fallacy. There are two reasons why this belief is mistaken. First, background checks are often not very effective. Second, even completely trustworthy employees may become insiders, especially if they are coerced.
- High-security facilities typically have programs to monitor the behavior of employees for changes that might suggest a security issue. Security managers often assume that severe red flags warning of problems will not go unnoticed. But if individual incentive systems and information-sharing procedures encourage people not to report, even the reddest of red flags can be ignored.
- Security-conscious organizations create rules and procedures to protect valuable assets. But such organizations also have other, often competing, goals: managers are often tempted to instruct employees to bend the security rules to increase productivity, meet a deadline, or avoid inconvenience.
- Prevention of insider threats is a high priority, but leaders and operators should never succumb to the temptation to minimize emergency response and mitigation efforts in order to maintain the illusion that there is nothing to be afraid of.
Insider threat awareness training
Insider threat awareness is a vital component of security awareness. The need for training and education is making news headlines:
- The deadline for Federal contractors to complete insider threat training programs prior to being granted access to classified information under a Department of Defense rule change passed on May 31.
- Harvard Business Review asserts that the best cyber security investment you can make is better training. C-level executives, board directors, shareholders, and other senior leaders must not only invest in training for their firm’s own employees but also consider how to evaluate and inform the outsiders upon whom their businesses rely — contractors, consultants, and vendors in their supply chains. Such third parties with access to company networks have enabled high-profile breaches, including Target and Home Depot, among others.
Sometimes, through absolutely no real fault of their own, an employee drops the ball. A NASA laptop stolen in 2011 resulted in the loss of the algorithms used to command and control the International Space Station. At the time, incredibly, there was no agency-wide encryption policy for devices and so to this day the story makes a comeback (as it is now) and NASA blushes. NASA Inspector General Paul K. Martin at the time said the laptop was one of 48 NASA notebooks and mobile devices stolen between April 2009 and April 2011 which was what made it a great story – was is carelessness or just bad luck?
Whether the average opportunistic thief would find a use for the control codes they got their hands on is a moot point. The story does illustrate how important security awareness training is for all roles in an organization, from techies to C-level executives, and everyone in between. The trick is to tailor it for different roles and business units.
Insider threat awareness training should take a two-prong approach:
- Creating a culture of confidentiality and personal responsibility for security, and educating employees about the reasons why. It’s not just so-called privileged, or important, staff that can be an insider threat. Consider the “lowly” receptionist, privy to private phone calls and confidential documents; are they aware that loose lips sink ships? One of the most common insider threat scenarios is that of a sales representative who leaves the company for a competitor, taking sales opportunities with him or her.
- Training often and in small batches so that employees remember key messages and don’t get bored, intimidated or lose interest. Security training doesn’t have to be dull. For instance, Aware Ed is a computer-based security awareness program that allows people to learn and practice the latest cyber-security threats in hands-on simulations.
Insider threat awareness education should always include training on the company’s IT security policies, penalties for infringements and how (or if) the company will protect whistle blowers. Security awareness empowers employees by giving them the knowledge to make informed decisions and educating them about the consequences of their actions.
Insider threats can be most unexpected, like the (unnamed) software developer who was busted for outsourcing his job to a programmer in China while he surfed the internet at work. He apparently paid the worker a fifth of his salary to complete his assignments, pocketed the difference and enjoyed life on easy street. He was caught when the company discovered the existence of an open and active VPN connection from Shenyang to the employee’s workstation that went back months. The audacious scheme exposed his employer to a wide range of security concerns as corporate data was openly shared with a total stranger. This was surely one insider threat the company’s training manual didn’t cover.
This blog was contributed by Guest Blogger / Author: Penny Hoelscher
Posted by Preempt Guest Blogger on July 20, 2017 8:49 AM