Extracts from a report co-authored by Next Peak co-founder Jim Cummings in his capacity as Senior Advisor at Oliver Wyman. Co-authors: Paul Mee, Rico Brandenburg and Matthew Gruber. This report was first published on oliverwyman.com in March 2019, please click here for the full report.
Insider threat represents a growing contribution to an organization’s overall cyber risk exposure. A significant number of executives fall victim to common misconceptions about insider risk and, therefore, they typically do not believe that their organization’s own workers pose a significant threat. Even those who do, find it challenging to make significant headway, as doing so requires tackling a host of thorny legal and HR issues. As a result, many organizations have underinvested in this area.
Applying data loss prevention technology, monitoring software, or compliance surveillance tools is not enough. Organizations need to scale their diligence and defenses appropriately to identify, detect and mitigate risks before they materialize or cause harm. The leaders in this area:
- Have the right level of senior stakeholder engagement,
- Use a risk-based prioritization of what to monitor and protect, and most importantly,
- Have implemented joined-up procedural arrangements with clear and tested roles and responsibilities to enable the right response when unusual behavior is identified.
Given the growing threat of insiders, it is crucial for organizations to develop an effective insider risk program. The way to success is to start small, with a focus on the highest-risk areas, and start now, as organizations simply cannot afford to ignore the threat any longer.
Taking a practical approach to insider risk
An effective insider risk program is designed to identify potential threats and prevent bad actors from carrying out malicious acts, but a program is more than just a set of controls. These are the five key elements for an effective program:
- Governance and organization: Clear articulation of the oversight and operating model
- Information sharing: Effective cross-functional interaction model to address legal, ethical, cultural, and privacy concerns, and understand what is required to “get to yes”
- Execution and program management: Processes and controls that cover the end-to- end lifecycle of insider risk management in line with the organization’s risk appetite
- Data, technology, and tools: Foundational capabilities that support the management of insider risk
- Continuous improvement: Mechanisms to integrate learnings from past events and to evolve the program in line with the changing risk exposure
An effective insider risk program not only reduces the risk associated with insiders, but it also delivers important tangential benefits for the organization. For example, collecting badge in/badge-out data to identify suspicious activity can assist in workplace availability studies or safety during a building emergency.
GOVERNANCE AND ORGANIZATION
Define the insider risk program. Define and document an “insider risk program” with a clear mandate and vision that includes representatives from different, key functions across the organization (e.g., Cyber/Information Security, Physical Security, HR, Privacy, Legal, Compliance). Everyone involved in the program should have defined roles and responsibilities. Whether the organization creates a dedicated team for insider threat or not, a specified group should be responsible for formulating policy related to insider threat and operationalizing the program.
Engage senior leadership. Ensure executive leadership provides oversight of and input on the direction of the program. One global firm found that presenting a small number of illustrative use cases to the board of directors and executive management helped leadership provide clear guidance on the tolerance for tracking, recording, and analyzing worker behavior.
Integrate existing efforts. Identify other existing, related efforts and integrate them under the umbrella of insider threat, either directly folding them into the insider risk program or empowering the insider risk program to provide requirements to other efforts. For example, the compliance surveillance program may continue to be owned by Compliance but be required to scan for additional use cases or escalate certain incidents to the insider risk program.
Monitor, measure, and communicate success. Define what success means and develop a set of metrics to provide insight into the program’s effectiveness over time. Best-in-class organizations compile these metrics in a senior executive dashboard that is regularly updated, with drill-down capabilities to assist program leadership. Metrics encompass traditional measures of success, like outcomes of insider threat cases, and more non- traditional measures of success, like how well different functions coordinate or awareness of insider threat.
Overcome barriers to information sharing. Providing the insider risk program with access to the information needed to identify and investigate suspicious behavior usually involves overcoming a variety of legal, ethical, cultural, and privacy barriers. Organizations should define clear guidelines on the information that can be collected/shared and maintain anonymity until there is enough certainty to unmask the individual.
EXECUTION AND PROGRAM MANAGEMENT
Focus the program. Understand the organization’s highest-risk areas (“crown jewels”), identify the potential insiders (people with access), and create a set of use cases to inform prevention and monitoring based on historical events and actors’ likely motivations. One organization embarked on an enterprise-wide effort to identify the critical systems that exposed the organization to the most damage if a malicious insider had access.
Don’t neglect prevention. Focus on proactively preventing or minimizing insider threat, rather than simply detecting rogue employees. Some organizations actively modify roles across the high-risk population to limit the potential damage that any one employee could do. Organizations should also raise awareness on insider threat and encourage people to come forward if they observe unusual behavior.
Rigorously document and test processes and playbooks. Document a clear set of steps and criteria to determine if further investigation or action is warranted when a potential threat or malicious act is detected. The potential consequences of malicious acts (e.g., reductions in compensation, termination, change of access privileges) should be documented and standards should be in place to guide management on when to employ them. Processes should be drilled and tested, even outside of insider threat response. For example, Security and HR should regularly test processes to remove access for employees who are terminated (forced or voluntary).
DATA, TECHNOLOGY, AND TOOLS
Ingest relevant data. Gain access to a wide variety of data that can shed light on suspicious behavior. Data can be internal (e.g., badge-in/badge-out, log-in times), the result of periodic background / financial checks, or even external (e.g., social media), to the extent allowed by law.
Leverage technological solutions. Employ a data analytics platform to ingest the myriad of data being collected and identify suspicious behavior based on defined use cases. The platform should prioritize the alerts for investigation by the relevant personnel. Use a case management system to manage alerts and investigations and ensure that only the right individuals can gain access to sensitive insider threat-related information.
Test the effectiveness of the program. Have workers mimic insiders in a form of “red teaming” to see if detection mechanisms would identify the threat. Employ threat hunting, focusing on critical assets and starting from the hypothesis that an insider has compromised those assets in some way. Team members should be responsible for capturing and cataloging the learnings from these activities and suggesting corresponding enhancements to the program.