Awareness, Education, Prevention: The 3-Factor Approach to Mitigate Insider Threats

Featured article by Isaac Kohen, Teramind

Insider threats continue to be an organization’s number one weakness. This is because an insider is able to bypass any firewalls, detection systems, or access gates. Most breaches that are the result of insiders happen from negligent employees or managers. Malicious insider incidents are fewer but often cause far more damage. How much damage can one employee do to an organization? The answer is dependent on access, information quality, and intent. Everyone who works with or in an organization is an insider.

Insider Threat Awareness

Awareness of insider threat can be hard to develop, mainly because the behaviors of an insider threat actor overlap with the behaviors of an ambitious employee. However there is one factor that can help define the difference, and that is an understanding of intent. Malicious insiders who seek to steal, spy, or sabotage the organization almost always leave trails or provide hints of their intentions. Meanwhile, negligent insider threats can usually be deterred with internal policies and security measures. This is why it is best to establish insider threat awareness programs. These programs exist create an environment and culture of security awareness.

Effective awareness programs about insider threat in your company relies on a few factors: employee understanding of insider threat impacts, established processes for taking action on a suspicion, and employee motivation to do something. Motivation may be the trickiest part of this equation. IT departments generally understand the link between a data breach and company collapse, however your average manager or employee may not, thus they are not generally motivated towards action. It is easy to tell employees “if you see something, say something” but this tagline is everywhere and employees may be numb to hearing it. One approach could be to link the impact of an insider-related data breach to job security. By linking the motivation factor to a personal impact, employees will be more motivated to act when they see suspicious behavior.

Insider Threat Education

The concept of insider threat is not a hard one to understand, often the challenge is one of seriousness and priority. Insider threat awareness often comes after some education of insider threat has been established. Often this education has to start at the top, without executive support, insider threat awareness programs fall apart from lack of funding and prioritization. Despite knowing and understanding insider threat, executives and business owners are not prioritizing investment into cybersecurity, much less in insider threat.

When educating top-level management about insider threats it is important to emphasis two links to them. The first link is the risk involved with an insider breach, whether negligent or malicious in intent. Examples for risks involved could come from HBO, NHS, FedEx, and Nationwide Insurance. The risk to companies involves productivity loss, operations disruption, trade secrets compromise, and loss of market confidence. The risks involved with a data breach caused by an insider extend to not just the company, but also your investors, customers, and business partners. The second link is the financial return on investment that companies gain from investing in insider threat prevention programs. Of course the costs will be different company to company but you can often get an estimation of return of this by understanding the security return on investment. The formula generally goes: (annual loss expected * mitigation ration – cost of solution) / cost of solution. Simple formula but a lot of work to contextualize for your company. Your insider threat education program for top management and middle management should emphasize these two factors to be effective.

Insider Threat Prevention

Preventing insider threats can be a daunting task however it helps to understand the internal policy wins you can gain before implementing new technology.

The first set of policies should be centered around device restriction. Only securing computers on the network at work is futile if employees can also access the network in an unencrypted and unsecured manner with their personal devices. Policies and technology measures should be implemented that only allow work to be done on specific devices that are secure and monitored.

The second set of policies should be centered around usage and access rules and monitoring of employees, process data flows, and business partners. This is where technology shines. In particular user behavior monitoring technology. By keeping tabs on users and your network, you will be able to automate responses to a violation of policy.

The third set of policies should focus around some security basics, such as strong passwords, logging out regularly, need-to-know information sharing, two-step authentication, and phishing identification.

Insider threats are tough to combat, and will be an even greater challenge if employees and upper management are not supporting your efforts to combat them. Understanding how to encourage and raise awareness and education will help drive from the bottom-up an insider threat deterrence in your company. How have you approached preventing insider threats in your organization?

About the expert:

Isaac Kohen is the founder and CEO of Teramind, an employee monitoring and insider threat prevention platform that detects, records, and prevents, malicious user behavior. Isaac can be reached at ikohen@teramind.co