Guest blog from Providence Consulting Group (Providence), a Fivecast partner and provider of risk and protective security services to Australian federal/state government entities, Department of Defence, and the private sector – including critical infrastructure entities.
In this blog, Marina Maydanov, the Critical Infrastructure Security Practice Lead from Providence, explores approaches to [and common mistakes made in] building a holistic, human-centric, and balanced Insider Threat Program (ITP) that can also serve as an enabler for employee wellbeing and a foundation for a more productive, engaged, and secure workforce.
September is Insider Threat Awareness month. Let’s explore the insider threat outlook for 2023 and effectiveness of ITPs.
Definition of an insider
Thinking about insider threat, people often visualise a foreign spy or a Snowden-type of insider who compromises extremely sensitive government information. However, insiders and their motivations take many forms, from someone disgruntled taking your intellectual property (IP) when leaving your organisation or being stressed and overworked so unintentionally clicking the phishing link enabling a cyberattack.
The ASIO 2023 Countering the Insider Threat: A Security Manager’s Guide (ASIO Guide), available through ASIO outreach, defines an insider as ‘a current or former employee or contractor who has legitimate or indirect access to a workplace’s people, information, techniques, activities, technology, assets, or facilities. It is important to keep in mind that insiders also include your supply chain vendors or business partners that have, or had, authorised access to your organisation’s assets.
There are two types of insiders: unintentional (negligent) and intentional (malicious) insiders. An insider’s reasons for conducting harmful activities, either intentionally or unintentionally, are varied, often complex and, as shown by decades of international research, have more than one motivation for their activity.
Insider threat outlook for 2023
Insider threat continues to rapidly grow, with the global average cost of a data breach increasing by 15% over the last 3 years and reaching US$4.45 million in 2023. Attacks initiated by malicious insiders were the costliest, at an average of US$4.90 million. Breaches by unintentional insiders (phishing) were the most prevalent attack vector and the second most expensive at US$4.76 million.
For critical infrastructure industries, data breach costs exceeded US$5 million per event! This gloomy reality was revealed by the 2023 Cost of a Data Breach Report published by IBM and conducted by The Ponemon Institute.
At the same time, we are observing a visible increase in the ITP investment – 72% of companies out of 700 surveyed by Vanson Bourne, in the annual Data Exposure Report 2023, have an established ITP in place. The Ponemon Institute research into 2023 data breaches also tells us that 51% of 550 surveyed organisations around the globe are planning to further increase security investments due to experiencing a breach.
In my view, these figures create a certain paradox – why with the security investment increase in an ITP, the insider threat continues to surge across the globe? What does not work? I would like to explore this paradox from various perspectives – from contemporary employee expectations to a tendency to over-rely on technology.
Workforce trends, or what is important for an employee in 2023?
The COVID-19 pandemic and accompanying lockdowns provided people with time to rethink the way they live; consider the role of work in their lives and the value they place on flexibility and activities outside of work.
The result was the wave of ‘Great Resignation’ with disgruntled and dissatisfied employees leaving organisations, sometimes exfiltrating IP and sensitive data on the way out. Today, employees have a different expectation of the workplace: they no longer want to be tied to the traditional 9-to-5 workplace model and seek flexible schedules and work-from-anywhere policies.
This shift in the workforce’s expectations created multiple challenges for security leaders and insider threat practitioners – from the inability to build rapport remotely, or to detect change in the behaviour of a colleague, to the challenge of the remote offboarding process.
One of the most important objectives of an ITP is not to punish or focus on ‘catching’ someone doing a wrong thing but rather to build trust offering guidance and support to those in need. This approach requires all of us to be alert to any change in behaviours of our colleagues, understand communication channels and available avenues for assistance. For remote work, where in-person interaction is often limited, this approach is challenging.
Consider whether your ITP focuses on the wellbeing of your people, accommodates, and effectively addresses these modern workforce trends and personnel security challenges.
How to balance focus between technology and people?
In recent years, I have been observing a tendency that heavily shifted an ITP focus from human-centric to technologically enabled solutions and behavioural system monitoring. Virtual data streams from diverse data sources provide improved insight into the risk activities and profile of individual employees, on the condition that an organisation has data analytics capability and staff skilled to understand and analyse the information. However, systems and virtual behavioural data monitoring is only one piece of the puzzle.
Insider threat is about people, and people are complex and often unpredictable – there is no formula to them. An information system capable of supporting analysis and the decision-making process may be ill-equipped to identify when a disgruntled employee needs help or becomes a security risk.
So, how to keep people in the centre of an ITP and get the balance right with constantly evolving innovative technologies, information system-driven approaches and various data streams?
Our approach to an ITP will also equip your organisation to:
- Bolster wellbeing, employee performance, staff retention and workforce diversity
- Establish an adequate organisational response to incidents thus mitigating the insider threat
- Enhance loyalty and organisation’s security culture.
Learn more! Gain practical advice about how to establish an Insider Threat Program as part of a Critical Infrastructure Risk Management Program and mitigate insider threat within your organisation and the supply chain at our upcoming free online workshops on 12 and 26 October – Register Below.