The odds are an organization will be attacked by an external threat actor, according to most studies. Over the years, Verizon’s annual international data breach investigations report has shown on average two-thirds of data breaches come from nation-states, criminals or activists.
That means about one-third of breaches are blamed on insiders — defined as employees, contractors and partners — who have access to sensitive data.
To help CISOs face this threat Public Safety Canada has issued a 31-page guide called Enhancing Canada’s Critical Infrastructure Resilience to Insider Risk aimed at making it easier for infosec leaders to structure their defences.
Insiders can have a range of motives for acting, from greed to resentment. However, insiders are also the source of accidents (including clicking on malicious links in email, uploading unprotected data to the cloud for processing and sending data files to the wrong person) and misconfigurations leading to breaches. Last year Verizon figured errors by insiders were at the heart of almost one in five (17 per cent) of breaches.
The guide has eight recommended actions under three themes: Establish a holistic approach to security; know and empower your people; and identify and protect what is critical.
At the end of each action is a list of security standards infosec pros can use to measure their efforts from organizations such as the U.S. National Institute of Technology (NIST), U.S. National Insider risk Task Force (NITTF), and the International Organization for Standardization (ISO).
The eight actions are:
–Establish a culture of security;
–Develop clear security policies and procedures;
–Reduce risks from partners and third party providers;
–Implement a personnel screening life-cycle;
–Provide training, raise awareness and conduct exercises;
–Identify critical assets and protect them;
–Monitor, respond to, and mitigate unusual behaviour;
–Protect your data.
“Strengthening an organization’s security posture and building a secure environment to defend against risks is ultimately the responsibility of senior management,” the guide emphasizes.
“An organization where senior executives establish and support a strong security culture is crucial for obtaining employee buy-in and participation in maintaining a secure environment.” Ideally that means starting by appointing a senior executive accountable for the development of a company-wide security policy and program, and then creating a governance structure, including an insider risk working group, to develop an insider risk program. That program will include physical and network
Want to really be effective? Establish an organizational “pledge” to recognize the importance of security in delivering a profitable and sustainable business, says the guide.
And to make it really work, link employee and management performance to security metrics.
That’s just the start.
Most organizations will screen employees before being hired. But the guide says those in critical infrastructure — including governments, finance, telcos, electric and water utilities, healthcare, transportation providers and manufacturers –should review and update their security screening of employees regularly (perhaps every five years) or as the situation warrants.
Employees who leave
What’s particularly important is when an employee leaves an organization there are procedures and policies to ensure that their login accounts are disabled and physical access to company premises and computer systems or data are rescinded, says the guide. “This includes having manager accountability for all termination procedures.”
In addition, if a staffer moves to a different their online access should be reviewed and, if necessary, changed.
While user behaviour analytics software can spot some problems, such as unauthorized access to data, there are physical signs to keep an eye out as well: Alcohol or substance abuse; argumentative or combative personality at work; a changes in financial situation; disregard for policies and procedures; absenteeism; unauthorized travel; and unauthorized contact with foreign representatives and/or competitors.
Arguably, the most important recommendation is that insiders be given only the access they need — also called the principle of least privilege. The guide also suggests making sure no one who has access to digital media can also access backup data.
Ultimately the eight recommendations amount to risk management. “An organization’s people can be its biggest strength, or their biggest vulnerability,” the guide notes, “with motivated and accidental insiders possessing the power to cause potentially crippling effects to any organization.
“Organizations must therefore be vigilant and resilient; continuously monitor the threat landscape; meticulously plan for response and recovery activities; and implement measures to protect against incidents.”