In 2017, some of the world’s most devastating cyber attacks were seen. Insider threats continue to be the primary reason for such high profile data breaches year over year.
With the rise of malware as a service, insiders are now more than capable of sabotaging a company’s operations or stealing data to sell on the darknet. Without the right support from management, preventing severe data breaches can become near impossible. Malicious insiders paired with increasingly dangerous malware means that management needs to be actively involved in security.
It is common for management to assume that cyber security is a matter best handled by the IT department or the internal cyber security team. However, this is far from what good cyber security practice means today. Much of this illusion is due to the inherent technical nature of cyber security; the other aspects of people and processes are not emphasized as much.
This article specifically focuses on best management practices to improve the people and process side of cyber security. Let us discuss how organizations of any size can take measures to ensure that their cyber security is top of the line.
DIGITAL ASSET IDENTIFICATION
The operational definition that we use for asset comes from the ISO 55000.
According to the ISO standard, an asset is something with current or potential value to an organization, and is under their responsibility.
While the ISO 55000 is focused on physical asset management, this definition also applies to digital assets as well, including data. What makes a “critical asset” goes beyond value; rather, a critical asset could severely damage the ability of an organization to continue operations if the asset is ever degraded in any way.
Data is one of the single most important assets for any organization in today’s world.
However, not all data is equal in business. Every business is responsible for the data of their customers, partnerships, inventory, vendors, and their own operations. Data that flows through an organization usually includes financial data of the company, operations data, personal identifiable data of customers, and at times classified data.
The first step to helping with data breach prevention is to identify and categorize data. While IT has insight into how your information systems are running, they do not have full insight into the operations and processes of the business as a whole. As a manager, this is where you come to their aid.
When categorizing data, typically they fall into the following groups: public, internal, classified, and regulation required. It is important to label which types of data are associated with each process in your organization. Cyber criminals often do not try to target all categories of data. At times, it could be only internal data they seek; other times, it could be internal, classified, or regulation required. Often, cyber criminals and insiders have very specific data they are attempting to acquire.
INSIDER THREAT PROGRAM
Insider threats are a very unique security issue that each organization faces. They thus require specialized resources for addressing the problem.
This is where an insider threat program comes in. An insider threat program is an organization-wide program that features a unified vision and mission, roles, duties, and specialized training. Insider threat programs should ideally include HR, legal, IT, engineering, data owners, and department directors. Above all, the program should include only the most trusted individuals in the organization.
Insider threat programs work to establish a source of relevant information, set of protocols, and mechanisms to detect, prevent, and respond to insider threats. Included in the insider threat program should be: mission, detailed budget, governance structure, and a shared platform.
Those are just for the formation; the work of the insider threat program should include:
- Compliance and Process Oversight Board: This group exists to review as-is work processes for the organization and recommends changes to prevent insider threats before a data breach occurs.
- Reporting Mechanisms: Office politics, clique behavior, and a host of other factors can prevent an employee from reporting suspicious behavior. This is why reporting mechanisms of suspicious insiders need to be made confidential to prevent any retaliatory action against whistleblowers.
- Incident Response Plan: So you’ve identified an insider threat, and you may even have proof of a data breach from them. Do you just fire them and report them to authorities? These questions and more clearly answered as you develop an insider incident response plan. These plans explain step by step how alerts are identified, managed, and escalated. With those details, you will also need to include time frames for every action and procedure.
- Specialized Training: The insider threat training details an awareness and training program for all personnel in the organization. However, people directly involved in the Insider Threat Program will receive even more specialized training to better detect and mitigate insider threats.
- Infrastructure: This component is straightforward; it is simply infrastructure to detect, prevent, and respond to insider threats. The technology that supports management’s effort to achieve its mission. The technology deployed should be reviewed regularly for the most optimal alternatives.
There are in total about thirteen components to a typical insider threat program. The other ones not listed include: civil liberty protections, communication framework, insider threat program supporting policies, data collection tools, vendor management, and risk management integration.
SECURITY VETTING AND MONITORING (HR)
When hiring personnel, one of the preemptive moves you can do to secure your organization is to perform a background check on the candidate. While organizations often perform these checks for cost-reduction purposes, in the context of cyber security, the hiring process is the beginning with personnel.
Some things to look out for are a criminal history and truth about employment. Malicious insiders, who can at times be spies, can make their way into your organization by presenting themselves as the perfect candidate.
The NIST Cybersecurity Framework recommends that an organization should assign a risk levels to each position.
The higher the risk level, the more trust and security prerequisites required to work that position. When a new hire comes into a position with a higher risk, they should be monitored more closely by supervisors for high risk behavior. Additionally, any incidents should be documented and analyzed for behavior trends. Behavior analytics and risk profiling technology can be a great aid in this process.
HR should also have a termination protocol prepared for when it is time to let an employee go.
The protocol should require managers to conduct an exit interview, provide final performance appraisal, and discuss final paycheck arrangements. IT should delete all of the departing employee’s accounts.
If they are a privileged user, then IT needs to change all shared passwords. HR needs to make clear once again any intellectual property agreements to the departing employee.
HEALTHY WORK CULTURE AND MINIMIZED STRESS
Managers face the challenge of balancing employee stress levels and productivity.
Often, productivity is chosen; it could mean meeting goals that would drive anyone to high stress levels. When people are stressed, all sorts of negative things start happening, such as more mistakes, ill will towards one another, and a feeling of being ignored.
These are just a few, but even in these few, you have the perfect conditions for both negligent and malicious insider threats to flourish. To avoid these conditions, it helps to understand what are the most pressing challenges to developing a healthy work culture.
One challenge was mentioned above: managing productivity and stress levels. Other challenges include baselining employee productivity and understanding the costs and benefits of reducing stress. Identifying how these challenges apply to your organization will help you understand some operational process improvements that can be made.
Reducing stress may mean a new management style needs to be implemented, such as project-oriented task management. Another method of reducing stress may be to understand how you’re measuring success, key performance indicators (KPI), and how those are contributing to work culture.
An example of harmful KPIs would be if a call center was measuring phone calls made as their KPI rather than customers landed. By measuring phone calls made, the quantity of phone calls forces employees to meet a certain goal that could contribute to poor customer service, unnecessary competitiveness, and increased mistakes.
Simply changing the KPI to customers landed also changes where the pressure is for employees. Now employees can have more meaningful interactions with customers and will be more likely to take care to ensure there are fewer mistakes.
The core take away from this example is to use KPIs that align with your context. Encourage thought before action. For your organization, try to identify the root cause of issues in work culture and then work to fix it.
VENDOR MANAGEMENT PROGRAM & POLICIES
While you are working to ensure your organization is secure from insider threats from employees, your vendors and business partners may not have been so diligent.
It is for this reason that you need a vendor management program. Vendor management programs are a series of protocols that are designed for accountability and monitoring between your organization and the vendors you work with. Vendor management programs are a responsibility of management. IT can only do so much, and if management is not setting some standards prior to vendor engagement, then IT will have to dedicate limited resources to mitigating vulnerabilities.
These programs are defined by a four phases: definition, specification, controls, and integration.
The definition phase of a vendor management program involves identifying the most mission-critical vendors to your organization. Mission critical in this context means vendors that you rely on to be successful and that any relationship issue could have a negative impact on operations and revenues.
The next phase, specification, is concerned with appointing a security liaison for each vendor you work with. The responsibilities of this liaison are to maintain compliance knowledge, perform audits, facilitate security communications, provide training, track contracts and all documentation, and impose general oversight.
Once those two phases are covered, then comes the heavy lifting for management, the development of vendor policy and controls.
When drafting vendor policy, the document should include the right to audit security controls, requirement for vendor compliance with monitoring, security performance reporting, and timely notification of any data breach.
By developing these policies, the security liaison will have a strong base to work with to perform their duties. However, the success of the liason is very dependent on what management requires of vendors and sets as controls in this phase.
The final phase is integration, which is primarily concerned with data collection, analysis, and validation.
Information about your supply chain should be accessible to you. Without that data, you will be unable to understand your full security position. The information collected needs to be integrated with your organization’s existing security practices and auditing procedures. Without full integration, the vendor management program becomes a side activity, which is not how you want to handle cyber security.
MANAGEMENT’S CRITICAL ROLE
Preventing insider threats is not the job of IT alone. Only with the dedicated support of management can a business best prevent insider threats.
The recommendations above are just a few ways in which management help prevent insider threats. Leadership in an organization impacts process development, hiring practices, business relationships, and work culture.
If either one of those areas creates vulnerabilities, then the business will remain at high risk for an insider-related data breach. Managers can stay alert by following the CERT Insider Threat Center to find more resources.