Guest blog from Providence Consulting Group (Providence), a Fivecast partner and provider of risk and protective security services to Australian federal/state government entities, Department of Defence, and the private sector – including critical infrastructure entities.
In this blog, Marina Maydanov, the Critical Infrastructure Security Practice Lead from Providence, explores approaches to [and common mistakes made in] building a holistic, human-centric, and balanced Insider Threat Program (ITP) that can also serve as an enabler for employee wellbeing and a foundation for a more productive, engaged, and secure workforce.
September is Insider Threat Awareness month. Let’s explore the insider threat outlook for 2023 and effectiveness of ITPs.
Definition of an insider
Thinking about insider threat, people often visualise a foreign spy or a Snowden-type of insider who compromises extremely sensitive government information. However, insiders and their motivations take many forms, from someone disgruntled taking your intellectual property (IP) when leaving your organisation or being stressed and overworked so unintentionally clicking the phishing link enabling a cyberattack.
The ASIO 2023 Countering the Insider Threat: A Security Manager’s Guide (ASIO Guide), available through ASIO outreach, defines an insider as ‘a current or former employee or contractor who has legitimate or indirect access to a workplace’s people, information, techniques, activities, technology, assets, or facilities. It is important to keep in mind that insiders also include your supply chain vendors or business partners that have, or had, authorised access to your organisation’s assets.
There are two types of insiders: unintentional (negligent) and intentional (malicious) insiders. An insider’s reasons for conducting harmful activities, either intentionally or unintentionally, are varied, often complex and, as shown by decades of international research, have more than one motivation for their activity.
What is an Insider Threat Program?
The deep complexity and potential scope of insider threat management could be a daunting challenge for organisations, where some security leaders resist considering their employees as a potential threat and simply ignore insider threat (as demonstrated by the 2021 Carnegie Mellon University survey of insider risk management practitioners).
There is currently no international or Australian standard available that provides clear criteria or best practice on how to build and operate an ITP. Available sources of international guidance contain various approaches. So, how can you choose what will best serve your organisation?
The Australian guidance on the topic is available in the ASIO Guide which defines ‘a counter insider threat program as a set of measures to manage the risk of, and deter, detect, respond to and recover from, the insider threat’ and provides generic advice on an ITP development. I note that ITP guidance for public and private sectors would have core commonalities, however, the priorities and business objectives may be significantly different.
Insider threat outlook for 2023
Insider threat continues to rapidly grow, with the global average cost of a data breach increasing by 15% over the last 3 years and reaching US$4.45 million in 2023. Attacks initiated by malicious insiders were the costliest, at an average of US$4.90 million. Breaches by unintentional insiders (phishing) were the most prevalent attack vector and the second most expensive at US$4.76 million.
For critical infrastructure industries, data breach costs exceeded US$5 million per event! This gloomy reality was revealed by the 2023 Cost of a Data Breach Report published by IBM and conducted by The Ponemon Institute.
At the same time, we are observing a visible increase in the ITP investment – 72% of companies out of 700 surveyed by Vanson Bourne, in the annual Data Exposure Report 2023, have an established ITP in place. The Ponemon Institute research into 2023 data breaches also tells us that 51% of 550 surveyed organisations around the globe are planning to further increase security investments due to experiencing a breach.
In my view, these figures create a certain paradox – why with the security investment increase in an ITP, the insider threat continues to surge across the globe? What does not work? I would like to explore this paradox from various perspectives – from contemporary employee expectations to a tendency to over-rely on technology.
To learn more about how you can mitigate insider threats and meet the requirements of the new Australian Government SOCI CIRMP Rules 2023, read our solution brief with Providence Consulting.
Workforce trends, or what is important for an employee in 2023?
The COVID-19 pandemic and accompanying lockdowns provided people with time to rethink the way they live; consider the role of work in their lives and the value they place on flexibility and activities outside of work.
The result was the wave of ‘Great Resignation’ with disgruntled and dissatisfied employees leaving organisations, sometimes exfiltrating IP and sensitive data on the way out. Today, employees have a different expectation of the workplace: they no longer want to be tied to the traditional 9-to-5 workplace model and seek flexible schedules and work-from-anywhere policies.
This shift in the workforce’s expectations created multiple challenges for security leaders and insider threat practitioners – from the inability to build rapport remotely, or to detect change in the behaviour of a colleague, to the challenge of the remote offboarding process.
One of the most important objectives of an ITP is not to punish or focus on ‘catching’ someone doing a wrong thing but rather to build trust offering guidance and support to those in need. This approach requires all of us to be alert to any change in behaviours of our colleagues, understand communication channels and available avenues for assistance. For remote work, where in-person interaction is often limited, this approach is challenging.
Consider whether your ITP focuses on the wellbeing of your people, accommodates, and effectively addresses these modern workforce trends and personnel security challenges.
How to balance focus between technology and people?
In recent years, I have been observing a tendency that heavily shifted an ITP focus from human-centric to technologically enabled solutions and behavioural system monitoring. Virtual data streams from diverse data sources provide improved insight into the risk activities and profile of individual employees, on the condition that an organisation has data analytics capability and staff skilled to understand and analyse the information. However, systems and virtual behavioural data monitoring is only one piece of the puzzle.
Insider threat is about people, and people are complex and often unpredictable – there is no formula to them. An information system capable of supporting analysis and the decision-making process may be ill-equipped to identify when a disgruntled employee needs help or becomes a security risk.
So, how to keep people in the centre of an ITP and get the balance right with constantly evolving innovative technologies, information system-driven approaches and various data streams?
7 key steps from Providence on how to build a holistic, human-centric, and balanced ITP:
1. Conduct a security risk assessment
- Determine risk tolerance of an organisation as a necessary precursor to tailoring an ITP to address specific needs, threat types, and unique culture of the organisation.
2. Establish multi-disciplinary governance
- Break down data silos, build collective understanding of security objectives and enable information sharing.
3. Introduce an in-house workforce security risk-based screening
- Determine the level of screening to be proportional to the level of risk posed by that role to organisational objectives, processes, and business impact.
4. Develop an ITP foundation
- Establish and clearly communicate personnel security policies, procedures, education, and training.
5. Enable access and technical controls
- Link existing physical and IT security access and technical controls.
6. Empower robust virtual and non-virtual behavioural monitoring
- Roll out a reporting mechanism for employees to express their concerns to prompt an investigation capability.
7. Data analysis and reporting using advanced open-source intelligence (OSINT) capabilities
- Advanced analytics tools provide automated analysis and reporting based on a risk algorithm that aligns with a risk tolerance of an organisation.
Our approach to an ITP will also equip your organisation to:
- Bolster wellbeing, employee performance, staff retention and workforce diversity
- Establish an adequate organisational response to incidents thus mitigating the insider threat
- Enhance loyalty and organisation’s security culture.
Learn more! Gain practical advice about how to establish an Insider Threat Program as part of a Critical Infrastructure Risk Management Program and mitigate insider threat within your organisation and the supply chain at our upcoming free online workshops on 12 and 26 October – Register Below.
