Insider risk exists in every organization, and it can be difficult to identify. Organizations typically invest in security tools to keep external actors at bay, but don’t often prioritize tools to protect the organization from trusted users and accounts.
Whether through malice, negligence or error, the security risks posed by employees, contractors and integrated third-party partners must be addressed. The reality is that insiders have an advantage over an external attacker — they know where the data exists and how to get it. It is critical that security and risk management leaders understand and address the threat of insider risk to protect the enterprise perimeter.
Insider Risk vs. Insider Threats
Insider risk is the potential for an individual with authorized access to act in a way that could negatively affect the organization — either maliciously or unintentionally. Every employee, contractor or third party that is connected to enterprise systems poses an insider risk.
It’s important to distinguish between insider risk and insider threats. An insider threat is a specific user that is committing an isolated act with malicious intent. Not every insider risk becomes an insider threat, but every insider threat starts as an insider risk.
No environment is immune from the insider threat. It might be a trusted employee or contractor, or it could be someone that is not a member of the cleared community. Access is the key attribute, granting a unique opportunity to insiders. Once an insider risk becomes an insider threat, the consequences can range from disclosure of trade secrets to financial losses, compromised customer data or even regulatory fines.
The Rule of Three
To effectively mitigate insider risk, security and risk management leaders must fully understand the threat actor, what they are trying to do and the organization’s main mitigation goal. The rule of three provides a simple, yet practical, framework for evaluating insider risk.
First, consider the threat type. Insider risks can be classified as one of three types of threat actors:
- Careless user. This is when the user accidentally exposes sensitive and/or proprietary data, including through errors and improper configurations. Protecting against the careless user is best accomplished with a strong security awareness program that is supported by investment in tooling that allows for comprehensive monitoring of the environment and critical data assets.
- Malicious insider. This involves intentional sabotage and data theft for either personal reasons or financial gain. Monitoring and surveillance tools can provide early detection of malicious insider activity.
- Compromised credentials. This is when credentials are exploited by someone outside the organization for the purpose of data theft and/or sabotage. Multifactor authentication (MFA) greatly reduces the risk of the credentials being exploited successfully.
Once the type of threat is identified, activities are typically categorized into one of three groups deemed to be a policy violation or illegal by law: Fraud, such as phishing or financial theft; intellectual property theft; and system sabotage, such as malware, ransomware, or data deletion.
Finally, evaluate insider risk within the lens of the three key mitigation goals: deter, detect, and disrupt. Deterring risk requires a strong cybersecurity awareness program, where users are educated on acceptable practices, data confidentiality and their role in securing the organization’s intellectual property. Detecting activity relies on security tools that can monitor for signs of improper data exfiltration before it leaves the care and control of the organization. Disrupting insider threats tools that automatically block data against exfiltration.
Take a Layered Approach to Manage Insider Risk
Using the rule of three as a framework, security and risk management leaders can develop their insider risk management strategy. A successful insider threat mitigation program requires a layered approach, comprised of people, processes and technology. Together, these elements enable the enterprise to effectively deter, detect and disrupt insider threats.
A formal program should serve as the foundation of the insider risk management strategy. This program should encompass:
- Insider risk policies and procedures, such as policies around data classification and protection or protocols for application approval and surveillance.
- A confidential reporting mechanism, for employees and users to report potential insiders with no fear of repercussions.
- Governance, oversight, and compliance, to support policy and procedure implementation and enforcement.
- Integration with enterprise risk management, to ensure insider risk is regularly monitored and evaluated.
- Integration with trusted business partners, who are included and trained on expectations.
- Insider risk training and awareness as part of the formal security awareness training curriculum.
- Insider risk playbooks that outline the tools and procedures the security team uses to identify, monitor, contain and mitigate insider risk.
- Insider risk incident response (IR) plans as part of the formal IR framework.
- Protection of employee and privacy rights considered in the development of the program.
The additional layers of the insider risk management strategy should include activities focused on improving user awareness, monitoring for threats, and investigating potential risks. It’s important to keep in mind through each of these layers that insider threats cannot be stopped by IT alone. A robust insider risk management program requires support and input from stakeholders including the executive team, legal department, and HR to provide governance enforcement as well as information on staff movements, contractor engagements and vendor access.
Insider risk is an ongoing challenge that cannot be overlooked. In partnership with stakeholders across the enterprise, CIOs and CISOs responsible for managing insider risk must act now to develop a comprehensive strategy to address such risks before they become threats to the organization’s security.
Paul Furtado is a Vice President Analyst at Gartner, Inc. responsible for providing insights into cybersecurity trends, threats, prevention and governance. Paul and other Gartner analysts are presenting the latest research and advice for security and risk management leaders at the Gartner Security & Risk Management Summit 2022, taking place this week in National Harbor, MD.