The insider threat has many faces, and can rear its ugly head in myriad ways. While we need to be on the lookout for malicious insider activity, we also need to take some accountability to ensure that our status quo users, those who do not operate with malicious intent, are not compromising our data and assets inadvertently. To improve the way we prevent and handle insider threats, we have outlined a few key steps that you can - and should - take within your existing cybersecurity program.
Without fully understanding where your critical assets and data reside, efforts to improve your data security posture are futile. Use a configuration management database and an asset management system to help you track the location and state of your assets. The first step in preventing the insider threat is to know what you are protecting. Create classification schemes for your data using factors such as its importance to business objectives, its sensitivity (think intellectual property), and its access requirements (public vs. private, or role-based, for example). It will be quite difficult to create data security policies outlining what data can or cannot do, where it should be, and how it should be handled, if you do not have a handle on your data.
Once you have an understanding of your environment, you can then start to develop security policies and standards geared toward preventing, containing, and mitigating the insider threat. Your policies and standards should be geared toward enhancing data security, laying out ground rules for your users that prohibit them from putting your data at risk. For example, policies should explain to users that they are not to use USB sticks to move critical data, and standards should outline how system admins build file servers and implement access control. An insider threat response plan is also required as part of this program; after all, you need to understand how you are going to respond should someone violate the policies or fail to comply to the standards that you create. To top off your insider threat management program, you need to ensure that someone is accountable for its well being. Your CISO, or manager who is in charge of governance, risk and compliance are the best candidates to oversee your insider threat management program.
Data security, with regards to the insider threat, ultimately revolves around your users. You implement cybersecurity controls to protect your users, as well as to keep them from making mistakes - or intentionally stealing your data. Your policies are created with the protection of your users in mind. Your users are your greatest assets, and potentially your biggest threat. That said, to help increase your data security posture, you need to educate your users. Ensure that your users understand the insider threat; empower them, let them know that they are very important when it comes to mitigating insider threats and bolstering your data security. Use a learning management system to deploy insider threat training and ensure that you can track completion. Awareness training and sign-off is also a great way to help you enforce your policies, as the user has committed to the company that they understand the insider threat and will do all that they can to prevent it.
Educating your users is great, foundationally, when it comes to preventing the insider threat, but you still need to have insight into what they are up to, and put some extra safeguards in to ensure that your users don’t stray from the path to data security. User behaviour analytics and data loss protection solutions are handy controls to have when it comes to data security. UBA solutions can be the catalyst in managing the insider threat and protecting your data, especially when you have a data classification scheme and implement role-based access controls to your assets and data. UBA can discern patterns and alert you when abnormal behaviour is detected. Adding context through policies and standards will add even more accuracy to UBA output, reducing false-positive alerts. DLP sensors can bolster your data security posture by monitoring your data in motion (network), data at rest (databases and file shares), and data in use (workstations) to discern whether or not someone is attempting to steal your data. The downside to DLP is that it does not provide a lot of value unless you understand your data, and have classified it appropriately.
Once you have procedural controls in place, such as policies and standards, and technical controls in place, you need to ensure that they are evolving on a regular basis. Test your insider threat management program through table-top testing, run your awareness training and testing annually (if not more frequently), and perform vulnerability assessments and configuration reviews to ensure that your technical controls are up to date and configured optimally. Putting the controls in place is really only half the battle; the real work behind keeping the bad guys out is ensuring that those controls are properly tuned to detect insider threats and enhance your data security.
The insider threat is not going anywhere any time soon. This is largely because not a lot of organisations target the insider threat within their cybersecurity programs. While it’s tempting to bundle the insider threat into your cyber incident response program, it really does need special attention. Specialized programs, standards, and technical controls to bolster your data security posture are requisite in this day and age. It may be a lot of work, and it may be expensive, but enhancing your insider threat and data security programs will prove invaluable should a malicious actor get their filthy mitts on your data.
Join one of our experts for a 20-minute overview to discover how we can enable you to protect your team and mitigate this elusive cyber threat.