By Boaz Fischer on May, 7 2018
Tackling The Human Element of Security
“I don't know how to exist before 9 A.M. And without coffee, I'm not classified as a human. Actually, I could be regarded as a threat.”
- Katie Findlay
The biggest problem with cyber threats is that they’re not physical in nature. Humans respond to physical threats reasonably well, but when it comes to the Internet, Humans are vulnerable, exposed and prone to social engineering.
Historically, humans have been the weakest link and the pretty much the source of all security incidents. There are two types of ‘users’ that pose a security threat.
- The first can relates to a “malicious user” that either sabotages, steals, defrauds or spies (espionage) of organisations critical assets.
- The second relates to a non-malicious user. Meaning that such users unintentionally puts the corporate assets at risk by performing a malicious action without realising it.
“Insiders” pose substantial threat to the organisation. Every user who has or had access to corporate assets can be deemed as an Insider. They are classified as insiders because, by virtue of their knowledge of, and access to, their employers’ information systems. Insiders can bypass existing physical and electronic security measures through legitimate measures.
Keep in mind that once an outsider gets in, there is a good chance they will perform the same types of malicious acts as malicious insiders.
Cyber criminals understand that humans by and large are vulnerable, exposed and easily prone to social engineering attacks. It has been demonstrated that a reward of $1 USD is enough to convince a large percentage of users to download and run potentially malicious software, while ignoring corporate policies.
For all of these reasons, it is no longer enough to limit our thinking that our problems will be solved by technical means alone.
In the past, we could acquire systems and that was enough to maintain an adequate level of security. Data breaches and other threats were just a remote thought.
Unfortunately, this is no longer the reality and security technology measures are NOT enough to protect organisation from an attack. Security attacks increasingly rely on human vulnerabilities.
Current approaches to IT security and risk management tend underestimate and even ignore the human factor.
A Different Approach.
First of all, organisations need to realise that organisations are formed by people. Without people, there is no corporation. People are alleged as biggest asset to the organisation, yet they also present the biggest threat.
Second, the chief security information Officer (CISO) is the manager of security systems but not people. Insider Threat is not a technology problem. It’s a people problem. Realise this, people become users when they connect to systems. Not the other way around. CISO’s role is not to manage people’s behaviour, motivation, needs, goals and desires and as a result.
Third, risks in various section of the organisations are different. For example, risks coming from HR will be different than Legal, Finance, etc. So, a different requirement and understanding is needed to identify people risks within each of those areas.
Therefore, it is important to involve all relevant stakeholders, such as human resource (HR), Legal Department, C-level executives and other related departments within the organisation, to develop proper security practices that specifically relates to a program called Insider Threat Program Management.
What is an Insider Threat Program Management?
The purpose of an Insider Threat Program is to develop a robust, repeatable set of processes that the organisation can use to Prevent, Detect, Deter and Disrupt suspicious activity and to resolve such incidents.
Effective insider threat mitigation requires coordination and collaboration among many different parts of an organisation. Human resources, legal, physical security, information technology, enterprise risk management, incident response, contracting, and data owners for critical lines of business are just some of the parts of an organisation that need to work in collaboration to share information to mitigate insider threats.
What to do? A formalised insider threat program is characterised by having:
- A directive, charter, or other policy document that establishes the program
- Documented statements of its mission, scope, and authorities under which the program will operate
- A defined governance structure that helps produce, review, and approve the program's standards, practices, and operating procedures
- A dedicated operating budget
Due to the organisation-wide participation that effective insider threat programs require, senior leadership buy-in and continued support are critically important to the success of any insider threat program. An insider threat program is responsible for establishing clear roles and responsibilities for all insider-threat-related efforts across the organisation.
What does the Insider Threat Program consist of?
The Insider Threat Program consists of 13 components as show in the following diagram:
- Formalised and Defined Program - The formalised insider threat program provides an organisation with a designated resource to address the problem of insider threat.
- Integration with Enterprise Risk Management - Organisations need to develop a comprehensive, risk-based security strategy to protect critical assets against threats from inside and outside the enterprise, including from trusted business partners who are given authorised insider access.
- Insider Threat Practices Related to Trusted Business Partners – Organisations need to include as part of the risk based security strategy, the threats posed from trusted business partners such as contractors, suppliers, vendors, managed service providers and others.
- Detection, Prevention and Response Infrastructure – Organisations need to implement technology solutions to effectively Detect, Prevent and Respond to insider threat incidents. For example, effective solutions for monitoring employee actions.
- Insider Threat Training & Awareness – A formalised insider threat training and awareness should be developed for the whole organisation, similar to what organisation do today regarding cyber security awareness training.
- Data Collection & Analysis Tools, Techniques and Practices – As the number of data sources used for insider threat analysis increases, so too does an organisation’s ability to produce more relevant alerts and make better informed decisions regarding potential insider activity. The volume of data that must be collected, aggregated, correlated, and analysed drives the need for tools that can fuse data from disparate sources into an environment where alerts can be developed that identify actions indicative of potential insider activity.
- Policies, Procedures and Practices to Support Insider Threat Program - A consistent, clear message on all organisational policies and procedures will reduce the chance that employees will inadvertently damage the organisation or lash out at the organisation for a perceived injustice.
- Protection of Employee Civil Liberties & Privacy Rights - It is essential that the concerns of each organization unit are considered when building the insider threat program structure, policy, implementation plan, and incident response capabilities. The goal of the insider threat program should be to protect the organisation’s critical assets from threats that originate from within the organisation, both malicious and non-malicious, but in doing so, should not infringe upon the privacy rights and civil liberties of the individuals working for the organisation.
- Communication of Insider Threat Events – Appropriate sharing of event information with the correct components, while maintaining confidentiality and protecting privacy until allegations are fully substantiated. Includes communication of insider threat trends, patterns, and probable future events so that policies, procedures, training, etc., can be modified as required.
- Insider Threat Incident Response - More than just a referral process to outside investigators. These plans detail how alerts and anomalies will be identified, managed, escalated. This includes timelines for every action and formal disposition procedures.
- Confidential Reporting Procedures & Mechanisms – Not only enable reporting of suspicious activity, but when closely coordinated with the insider threat program, these ensure that legitimate whistle-blowers are not inhibited or inappropriately monitored by an insider threat program.
- Oversight of Program Compliance & Effectiveness – Governance structure, such as an Insider Threat Program Working Group/Change Control Board that helps the program manager produce standards and operating procedures for the insider threat program and recommends changes to existing practices and procedures. Also, an Executive Council/Steering Group that approves changes recommended by the working group/change control board. Oversight includes annual self-assessments, as well as third-party assessments of the compliance and effectiveness of the program.
- Organisation Wide Participation - Active participation from all components that eases data access, sharing, and provides visible senior leader support for the program, especially when data necessary to an insider threat program is in silos
Who Currently Mandates an Insider Threat Program?
On October 7, 2011, the President of the United States, Barak Obama, signed an Executive Order 13587, “Structural Reforms to Improve Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information.
The Executive Order 13587 directs United States Government executive branch departments and agencies to establish, implement, monitor, and report on the effectiveness of insider threat programs to protect classified national security information, and requires the development of an executive branch program for the deterrence, detection, and mitigation of insider threats, including the safeguarding of classified information from exploitation, compromise, or other unauthorised disclosure.
How Can CommsNet Group Help?
CommsNet Group can help you customise a specific insider threat program to fit your organisation operating environment. We can help you develop a formal program, that addresses and spans all the organisation functions and locations.
CommsNet Group will help you develop a formalised Insider Threat program to demonstrates that commitment of the organisation to due care and due diligence in the protection of its critical assets. A formal program is essential to providing consistent and repeatable prevention, detection and response to insider incidents in your organisation
Register your interest on CommsNet Group website and we will follow you up - http://commsnet.com.au/what-we-do/insider-threat-program-manager
Interested in more Insider Threat material?
- Visit the resource section on our website - http://commsnet.com.au/resources
- Download our latest Insider Threat E-Book from our website - http://commsnet.com.au/resources/download-the-book