Insider risk management is a complex problem that requires an orthogonal approach for protecting competitive advantage, intellectual property, data, and personally identifiable information (PII). This article increases awareness for improving insider risk management program capabilities. Moreover, it provides six key questions for executives to consider when building, or reassessing, insider risk management programs.
Industry research and security experts indicate that a balanced approach best postures organizations to prevent, detect, and respond to insider activity. People, process, and technology controls working together build the strongest insider risk management capability.
People Are Your Biggest Weakness and Strongest Defense
Data security increasingly has become a human risk problem rather than solely a technological one. One of the biggest weaknesses of any organization from the standpoint of insider risk is your workforce. At the same time, they can also be your strongest defense. One strategy for harnessing the defensive power of your workforce is to foster a security-conscious corporate culture. Inform them on why they would be targeted, by whom, and how. For instance, the case of Su Bin selling F-35 secrets to China shows how much effort and time an adversary will exert to gain access to proprietary information. Another approach is to train your managers to recognize signs that employees may be undergoing stressful or life changing events. Human-centric controls include background checks, soft/hard monitoring (per ISO/IEC 97001 recommendation), and tailored training for engineers, developers, and other technical positions.
Leadership teams setting expectations for employee work from home behaviors, reviewing onboarding and off boarding (including violence prevention) procedures, and practicing supply chain or third-party risk management strengthen their insider prevention capability. People-focused controls help detect disgruntlement toward employers or co-workers, chronic violations of organizational policies, declining work performance, unnecessary access to data, and more.
Set Relevant, Clear, and Enforceable Processes
Process helps defend against data compromises. According to a recent study, 44 percent of millennials, 30 percent of GenXers, and 16 percent of baby boomers still had access to applications from a previous job. The ability to access a former employer’s data and networks is a common issue. For instance, policies support risk management by defining security roles and responsibilities, physical security measures (including controls to office spaces and controlled access to physical server and data storage areas), removable media use, e-mail use, and more.
Understanding how enterprise policies could enable insider activity, communicating across stakeholders on suspected incidents, and enforcing social media and mobile device use policies helps leadership teams prevent and respond to insider activity. Has your team identified what policies may be out of your control to defend? Processes help identify risky behaviors, lacking security practices, ensure sound IT practices, and more.
Combine Traditional with Emerging Technologies
Traditional technology products used by most IT and information security practitioners play a supporting role in managing insider risk. For example, firewalls, anti-virus software, access controls, e-mail security and threat detection, network monitoring, data access controls, and automatic encryption. However, emerging technologies supporting insider security can create new threat vectors or present novel ways for employees to accidentally leak sensitive data. Therefore, pre-adoption evaluation is critical. Enterprise awareness campaigns for using recently adopted technology safely and efficiently help prevent employees from creating workarounds to get work done.
Leadership teams tracking the effectiveness of IT risk mitigations, enterprise dependence on legacy systems, digital security practices and data integrity enforcement are more likely to detect harmful insider activities faster. Technology controls identify data exfiltration, illegitimate access to sensitive data, attempts to bypass security controls, access data post-termination, and more.
Key Insider Risk Questions for Executive Leadership Teams
The following people, process, and technology-centric questions are a good starting point to consider when building, or reassessing, an insider risk management program:
- How do your current risk practices reflect your organization’s risk tolerance for your most sensitive data and critical assets?
- What is your strategy for increasing security awareness for your management team and workforce?
- Who owns insider risk management at your organization? Who is responsible for handling and investigating insider security incidents at your organization?
- What physical security controls do you have in place to prevent insider activities?
- Which technologies, or tools, do you have in place to prevent insider security incidents? How often are they reviewed for relevance?
- What policies or process controls do you have in place to prevent an insider security incident? When was the last time they were evaluated?
Benefits of Insider Risk Program Assessment
In conclusion, an insider risk program assessment helps leadership teams answer the key areas above and increases understanding of an organization’s insider risk profile. This type of evaluation also identifies digital vulnerabilities, business process gaps, or corporate culture practices fostering an environment for insider activity. Additional benefits include:
- Launches, or reassesses, your organization’s insider risk management program
- Confirms enterprise asset priorities
- Identifies vulnerabilities, or gaps, for protecting sensitive data and other critical assets
- Builds relevant insider threat models tailored to your organization’s critical assets
- Supports insider security incident impact analysis for resource decision-making
All the benefits above can help justify actionable recommendations and next steps for improving your organization’s insider risk management program.
Connect with GPSG’s Insider Risk experts at cyberteam@gpsg.co, we look forward to helping enhance your organization’s insider risk management program.
Disclaimer: This website provides ever changing content, conversations, and insights on cyber threats and trending solutions that is accurate to the best of our knowledge. Although we are cybersecurity experts, we provide information which we hope is helpful, and do not endorse any specific products, tools, or solutions referenced herein. Consult with your cybersecurity team before taking any action.