The Insider Threat Denial Syndrome
I believe there is a “denial syndrome” that exists in cyber security. I’m not referring to the “It won’t happen to me” concept, I’m pointing to a deeper and more dangerous belief. In psychology, denial happens when we are uncomfortable with the facts of reality and instead of dealing with it we reject it, insisting it is not correct.
I believe denial goes back to a basic level where all us humans know we can and will die, and we use denial to fight this fear. People ignore the perceived threat because it helps to keep moving forward, otherwise we would probably malfunction from “Death Anxiety.” On the far edge of the spectrum there are some who take elevated denial to a whole new level.
Which brings me back to the denial syndrome in cyber security. I recently met with an executive who flat out denies they have an insider threat problem.“We only hire smart people,” he said to me. To myself, I quietly thought, “ohh yeah this solves the problem.”
I want to use this platform to make a clear and loud statement:
Insider threats are everyone’s problem
It doesn’t matter if you employ 1 or 1M employees, it is inevitable that every business with more than one person faces this threat. Insider threats and misuse are costly (loss of business, remediation etc.) and it affects the business reputation for long term. Now, let’s discuss the level of risk and what can be done to address it. There is no one size fits all and not all will share the same risk level. I am sure everyone agrees that the NSA not only hires very smart people but they also take (lots) measures to reduce the level of threat from Insiders. Yet the failure still echoes even today exactly 4 years after Edward flew to Hong Kong on May 2013.
We frequently hear about malware and phishing emails and yet the Insider threat is an often minimized problem that should be taken more seriously. The elephant isn’t just in the room, it is sitting on the table and some organizations still diminish it and won’t fully acknowledge the scale of the problem. For example I have heard Insider Threat will go away when robots will take over human positions…
For me (and others) the existence of this threat isn’t a question, it’s about what can be done to solve it.
Is it hard to identify the Insider Threat? Yes
Is there a way to identify this threat? Yes
Is it logical to monitor all insiders (or only privileged insiders)? Yes
Is there a way to predict this threat? Yes
Is there a way to contain this threat? Yes
So how do you do it? Here are some tips:
Research and many articles have proved that when people know they are being watched they will try to change their behavior. If people know they are being monitored, they will “think again” before bending the rules, before they misuse a system, abuse it or steal. Invest in monitoring as a best practice approach and apply it to all employees regardless: insiders, privileged and 3rd party.
Each employee is a unique individual whose performance is being measured against business KPIs. Do the same by measuring against cyber security KPIs that can help you measure the risk level of individuals, business units or an organization as a whole. Use Security Risk Scoring as a practical methodology to predict upcoming threats and measure ongoing risk posture.
At the same time, it is known that over-monitoring and censorship may lower productivity. This is why Preempt has chosen an approach that empowers end users. When empowered, humans try to be better, and specifically when they know it isn’t targeted monitoring. Trust your end users and give them the power to decide about the actions they want to take. Let this valuable human resource take a notable part of the organization security plan.
In Dimensional Research’s latest report “Growing security threats from insiders” we see that 66% of the security professionals said they see value in providing online real-time training and feedback. Yes, this is very important. Educate employees about the threats and risks that the organization faces and you make it even more effective by tying education and feedback contextually to user activity, in real time. They are more likely to remember that training in the future.
Incorporate cyber logic that can ingest user data and identify not only anomalous behavior but also behavior which may be tied to malicious intent.
Offer your team a wide set of tools to choose the most flexible and adaptive controls to fit the situation. And ensure that user response automatically feeds back to the system so it can not only continue to learn from it but also reduce burden for the security officers and automate the Incident Response process.
Learn More: To learn more about how to implement a real-time Insider Threat program, watch our on-demand webinar.
Posted by Eran Cohen on May 18, 2017 12:01 PM