The recent indictment of a former National Security Agency (NSA) contractor charged with stealing highly classified documents and storing them in his home and car is the latest reminder that insider threat remains a significant risk to data security and organizational reputation.
According to the indictment, the data contained highly valuable information, including details about counterterrorism operations, intelligence collection targets, and the code responsible for more than 75 percent of the NSA’s hacking tools. Despite increased implementation of safeguards following Edward Snowden’s leak, this insider breach was still able to go on for several years undetected, demonstrating how it’s more likely that organizations will be the victims of 10,000 paper cuts rather than a single atomic event.
A 2016 Verizon Data Breach Investigations Report showed that 77% of internal breaches were deemed to be by employees, compared to just 11% conducted by external actors only. To address the weakest link – people – organizations should consider emerging threat trends, their company culture, and the mindset of the average employee.
Keep Up With the Adversary
Due to the constantly evolving threat landscape, insider threat and cybersecurity training that is performed during onboarding or only annually is not enough. For example, phishing emails have advanced from obvious scams to legitimate looking messages, which suggests the need for ongoing training. The dramatic rise in ransomware forces teams to ask, “Do we know what to do if we see a demand for bitcoin on the screen?” If not, a policy must proactively be decided, written, and disseminated to all staff.
See Something, Say Something
Employees may second guess themselves about contacting a superior regarding requests received by email in fear of seeming insubordinate or questioning their authority. Attackers prey on this deference, hoping that suspicious activity goes unreported. As a result, the Federal Bureau of Investigations (FBI) has tracked a billion dollars in actual and attempted losses worldwide through business email compromise scams where attackers posing as executives use legitimate email accounts to direct large wire transfers.
Or consider the 2016 Department of Justice breach that saw 20,000 FBI employee names released. It’s believed that the hacker accessed the system by posing as a new employee asking a help desk attendant for a token code required in dual-factor authentication. The caller knew what to ask for in terms of access, suggesting it was a legitimate request, and could have been in a position of authority as far as the attendant was aware. From the perspective of the attendant, his or her primary duty is to resolve issues, not to analyze them.
In order to have any lasting effect, a larger cultural shift in the workplace is needed – one that encourages employees to verify before taking action and to speak up when they see something suspicious.
5 Ways to Combat Insider Risk
While software and hardware installed to secure the perimeter plays an important role, it may provide a false sense of security if employees aren’t aware of the risks that those already on the inside may pose to corporate data and assets. Here are five ways to begin countering insider threat.
- There is the workplace culture you strive for, and the one that actually exists. Conduct climate surveys by a third-party industrial psychologist to clarify the workplace culture.
- Create effective messaging on cybersecurity issues, train the workforce, then test and repeat regularly.
- Tie organizational risk to real life employee risk in training. Don’t only say it’s bad for the company to lose money from intellectual property theft via insider threat; tie it all to the employee’s bottom line.
- Be consistent – what’s on paper needs to match what managers exude.
- Encourage questions. It could save you a lot of money. Employees who think they might be facing a security issue, insider or cyber, should feel reporting/questioning is a duty rather than a burden. Make this a value and you could save a lot of pain in the end.