To mitigate insider risk, focus on people and not technology
Insider risk poses the most serious threat to data and operations, yet most organizations still lack a security strategy designed to confront it.
The Ponemon Institute’s 2023 Cost of Insider Risks: Global Report found that insider risk -- whether unintentional or intentional -- has continued to rise over the past two years while the costs of breaches have risen as well. The 309 organizations benchmarked over a 12-month period averaged 24 incidents each, with a total average cost of $16.2 million.
Organizations are planning to address the problem, though most are still behind the curve. A recent Gartner report predicts that 50 percent of organizations will adopt a formal program to manage insider risk by 2025 while noting that, at the moment, only 10 percent of organizations have such a program in place.
How can companies go about implementing an insider risk program from scratch? It starts with understanding that insider risk is not like other cybersecurity challenges.
Focus on the People
Insider risk is not so much a technology problem as it is a people problem. After all, it involves employees, business partners and other stakeholders who are already trusted within the organization.
However, events of recent years have pushed people farther away from the center of organizations. The expansion of cloud-based infrastructures created distributed environments and greatly increased the number of network identities with access to systems. The COVID-19 pandemic led to widespread remote work, resulting in remote-access vulnerabilities -- cyberattacks targeting remote workers rose by 238 percent at the height of the pandemic. The Great Resignation followed on the heels of the pandemic, as employees demanded working conditions and schedules that fit their needs.
The majority of insider incidents were unintentional, usually caused by an insider making a genuine mistake, being outsmarted by an external attacker, or being careless or inattentive. But malicious insider attacks are also on the rise. A 2023 Insider Risk Investigations Report found that in the first half of 2022, a 20 percent increase in voluntary turnover compared with pre-pandemic levels coincided with a 35 percent jump in data theft by departing employees. Twelve percent of employees leaving a company took sensitive IP with them, including customer and employee data, health records or sales contracts.
Whether incidents are the result of mistakes or malicious intent, the key to deterring them is to focus your insider risk strategy on the people involved, giving them the tools, training and support they need rather than relying too heavily on data collection and automated alerts.
Putting a Program in Place
People are the fulcrum of insider risk. This is true regardless of whether they are the target of a phishing campaign, make an inadvertent mistake that compromises data or become a truly malicious insider. For that reason, the people who work for an organization are better insider threat sensors than any cyber tools.
Cyber tools and data, particularly those focusing on behavioral traits, do have a role in providing actionable insights. But the focus should be on supporting people, if possible, with the help of an Employee Assistance Program (EAP). Research by the National Institutes of Health has shown that EAPs help increase productivity, engagement and life satisfaction while reducing absenteeism and workplace distress. Even if a company can’t afford a full EAP, it can adopt the principles of a compassionate work environment.
An insider risk program that focuses on two-way engagement -- not only providing training but listening and responding to employee concerns -- can create a culture of communication and actionable, proactive insights. It can reduce the number of incidents resulting from either accidents or malicious intent.
Three steps to getting a program in place include:
Getting Stakeholders on Board. Insider risk is an enterprise-wide problem. Addressing it requires a cultural change, which requires complete buy-in from the top of an organization. It’s essential to establish multi-stakeholder governance from the beginning, with clearly established roles and responsibilities. The cultural change an organization needs will flow from the program, with accountability leading to better business practices and outcomes.
Establish a Cross-functional Team. Dealing with the human challenge requires a cross-functional approach where people work together to reduce risk within the framework of a strong governance plan. Teams should include employees representing human resources, the business side of the organization, compliance and cybersecurity teams and many others.
You may also consider hiring a dedicated insider risk leader whose sole focus is to proactively manage insider risk.
Know Your People, Processes and Data-driven Technology. A key to a successful program is discovery -- not just of data but also of actionable insights and policies. That information needs to be kept in living documents built on threat intelligence and designed to promote meaningful communication. Policies must strike the right balance between security and privacy, and be designed to engage employees with proactive security instructions before an incident occurs, not as a punitive measure after the fact.
Build the Right Culture for a Better Insider Risk Management Program
Companies have spent billions of dollars on combating external threats but comparatively little on understanding their insider risk. Addressing that growing problem requires a cultural change, focusing not as much on technology tools as on people, behavioral understanding and supporting employees. Focusing on employees can create a trusted workforce that benefits a company both in terms of security and productivity.
Lynsey Wolf is the i3 Investigations Team Lead at DTEX Systems, where she has worked for the last five years. She is an experienced analyst with a demonstrated history of working in the computer software industry. Her skills and experience as a seasoned insider threat investigator and researcher have led to her success in seeing, understanding, and acting on contextual intelligence using scoring frameworks proven to stop malicious actors and insider threats, including data loss, account compromise, and other types of negligent behaviors.