Insider Threat: The Risk Within
Organisations’ critical assets, both digital and physical, are becoming more and more exposed through increased connectivity, global regulatory requirements, emerging science, joint ventures, shifting demographics and potential security weaknesses within a complex multinational supply chain.
Across industries, organisations typically have safeguards and policies to prevent and detect external threats, but very few apply the same considerations to insider risk.
The natural tendency is to assume that colleagues in a work environment do not wish to harm an organisation. Whilst this may have been the case historically, the Insider Threat Spotlight Report for 2015 by Information Security and Crowd Research Partners, found that a majority of security professionals (62%) had seen a rise in insider attacks over the preceding 12 months.
Indeed, the EU Agency for Network and Information Security reported in August 2016 that the most expensive attacks are those orchestrated by insiders. This appears consistent with the findings of the Detica Report on the Cost of Cybercrime in 2011, which estimated the cost of intellectual property and trade secret compromise at £9.2bn per year.
There is no industry recognised definition for insider threat, and it will likely be interpreted differently for each organisation.
That said, security practitioners generally see it applying to any current or former employee, contractor or business partner, who has, or had, authorised access to an organisation’s network systems, data or premises, and uses it to compromise the confidentiality, integrity or availability of the organisation’s network systems, data or premises, with malicious intent or not. Insider threats can include fraud, theft of intellectual property or trade secrets, unauthorised trading, espionage and IT infrastructure sabotage.
- Calculating Risk
Protection of assets should not be cost prohibitive. A balanced relationship between business enablement and business protection is achievable with careful consideration and understanding of the threat, and implementation of appropriate controls to mitigate it.
Consideration of the threat posed to an enterprise’s crown jewels is based upon knowing what they are, and who has access. Insider risk is not a technology problem either; while systems may be used to compromise or steal, the risk is a business issue, so to appreciate other risk reduction strategies, we must consider how threat is calculated and its relationship to risk scoring methodology.
A threat’s severity is calculated on the relationship between the individual’s or group’s intent to cause harm and their capability to do so, with a threat score allocated between low and high based on an inverse sliding scale between these factors.
When considering risk, we take the threat score and consider the likelihood that the threat can actually occur and what harm would be caused if it did. In other words, what controls are already in place to prevent medium and high threats from being realised? This methodological approach allows an organisation’s management team to make an informed assessment of risk to their business and the decisions that define the approach. It prevents unnecessary financial outlay and controls from being implemented and helps to identify controls that can be removed, resulting in financial savings and informed budget decisions.
To conduct an overall assessment of its risk from an insider act, an organisation needs a clear picture of its control environment; in essence a maturity assessment of its controls landscape through an insider risk optical.
- The Human Element
An insider threat programme is far more than a technical programme.
Given the nature of insider threats, the human behaviour element is just as important as technology controls. This is not about watching individuals, but about tracking high value assets, preventing loss, and investigating effectively, when compromised, to mitigate successfully.
To achieve this, consideration of the human behaviour risk must be embedded in an organisation’s control framework – from policy making, to information governance, monitoring and escalation procedures, background screening and consequence management.
EY’s Insider Threat services help organisations develop an integrated risk management programme to protect their critical assets against insider threats.
It offers a process, people and technology approach to manage this risk and can use analytical tools to provide robust management information.
The framework is a progression in managing insider risk, and consists of a set of characteristics that classify an organisation’s capabilities to detect insider threats. It reflects leading practices from both private and public sectors, and incorporates relevant industry standards. It provides a benchmark against which an organisation can evaluate its insider threat programme and set goals and priorities for improvement.