Q. Insider threat appears to be a growing concern for senior management these days; they are getting more involved in the management of insider threat. We want to bolster our insider threat stance. What should we be considering?
A. In working with our community we see a great opportunity for corporate security to step in and help lead the response to insider threat. The first and most important step is to comprehensively define the issue for the corporation. The SEC defines insider threat as any risk posed by current or formerly trusted individual(s) with access or privileged knowledge; used to damage, deprive, diminish, injure or interrupt organizational stakeholders, assets, critical processes, information, systems or brand reputation. Insider threats include any illegal, prohibited or unauthorized conduct (acts or omissions).
What are risks related to insider threat and the potential impact on organizations? Only 14% of organizations have a specific internal working definition of “insider threat” and those that do define it very broadly. Privacy and information breaches are seen as the most significant threats (94%); followed by workplace violence – 67%; fraud – 58 %; and theft/loss/damage – 53% (Conference Board of Canada). The average cost per insider threat incident is $412,000, and the average loss per industry is $15 million over a ten-year period (RSA 2013: FBI Offers Lessons Learned on Insider Threat Detection). The typical organization loses 5 percent of revenue each year to fraud (ACFE).
What we’re hearing from our constituency is the challenges to combating insider threat includes the following:
- Unsure of the existence and extent of insider threats in their organizations.
- Gaps in safeguards being detected and exploited by an increasingly large group of empowered, trusted, and knowledgeable insiders.
- Not maintaining a sufficiently high-level of assurance in the trustworthiness of people, practices, systems and programs.
- Corporate culture and the velocity of business may mask control defects.
- Dependency on an incredibly complex and risky technical environment.
- First line managers are not aware or not paying attention to the cues that indicate risky behavior and resulting exposure.
- Assignment of high-risk jobs to people and vendors where little is known about them, resulting in an inability to detect red flag behavior.
The prevailing approach has been early notification of an insider incident (or potential incident) and reactive mitigation. Current thinking is to identify “behavioral indicators” that point to potential problems, which allows for prevention or lower level intervention. There are now new tools and services resulting from big data analysis that are designed specifically for security risk mitigation in this area.
The SEC community is clearly proceeding towards an early identification and prevention model using a comprehensive behavioral indicators approach. Some of these include doing the following:
- Go through a process to define the acts and actors of concern and define roles and responsibilities of key functional groups; identify your current mitigation strategies and any gaps that may exist.
- Use pervasive and persistent background screening that identifies notification of criminal activity and civil court findings that are behavioral indicators of new and emerging risk.
- Monitor Dark Web sites that specialize in stolen information including personal information, credit card data and medical information and that can be used in fraudulent activities such as assuming other people’s identities. This provides early notification of potential insider intention or inadvertent activities creating new corporate risk.
- Social media monitoring combined with analytic process to ensure better situational and organizational risk awareness as well as identifies and understands key negative influencers and activities that create brand risks to the organization.
- Real time notification of significant civil and criminal court actions that in and of themselves are behavioral indicators of potential risk.
- Develop an executive-level organizational communications strategy and plan designed to influence executives by communicating value and return on investment.
Insider threat isn’t new and not just an IT or HR issue. Theft, embezzlement, product contamination, sabotage, workplace violence, information theft and espionage are all real and ever present insider threats that require different mitigation strategies. These are often the purview of multiple internal staff functions and may not be “connected” across the organization. Cost avoidance, identifying gaps and minimizing organizational confusion are value opportunities for the security leader on this burgeoning issue.