Cybersecurity is paramount for federal agencies, which is precisely why there is so much change on the horizon. To start, federal civilian agencies must adopt at least some level of zero trust architecture by next fall, per the White House Office of Management and Budget. The Defense Department, meanwhile, plans to make zero trust its baseline by 2027. New software supply chain security requirements are also going into effect. Altogether, we’re in a tremendously transitory period for the federal government.
Long term, these changes are savvy to say the least — they will undoubtedly strengthen agencies’ cybersecurity postures against a growing list of threats. In the near term, all the changes taking place have the potential to increase human error, whether inadvertently or maliciously caused by a trusted insider. In addition to planning for the future, agencies must take the proper steps to remediate insider risk today. Let’s take a closer look at what that means in practice.
Understanding insider behavior
Insider risk has always been a top concern for federal agencies, as about 30% of breaches in the public sector are the result of insider activity. With agencies continuing to focus on the adoption of the aforementioned federal cybersecurity guidelines, it’s more critical than ever to mitigate insider risk, especially since pivoting to remote and hybrid work environments in the wake of the pandemic.
The most effective way to reduce the threat of insider risk is through an insider risk management program that enables agencies to collect, explore and utilize behavioral analytics, providing them with insight on how users are interacting with their most critical data. This approach takes advantage of the power of analytics to seamlessly ingest data (structured and unstructured) from multiple data sources, then running in-depth analytics on that data to identify patterns and risky behaviors. Whether an employee starts stockpiling sensitive agency data or accidentally compromises classified information, an agency needs to know what’s at stake and what to do about it.
To that end, a key component of behavioral analytics is the creation of a dynamic risk score for every user at the agency in question. These risk scores are updated in real-time as behavior changes. For example, if a user begins to transfer sensitive data to personal cloud storage, their low risk score will spike to high. Naturally, the risk score is also dependent on a given employee’s level at the company and the sensitivity of the data they have access to. If an action spikes a user’s risk score but is determined to be non-malicious, the risk score will decrease accordingly.
Maintaining employee trust
The mitigation of insider risk must be done carefully, though. If agencies fail to protect employee privacy and maintain a culture of trust, their program may unintentionally worsen insider risk instead of reducing it. When deploying behavioral analytics, for instance, agencies should seek input across the organization and collaborate closely with stakeholders, particularly those in legal and governance, risk and compliance (GRC) functions. Relatedly, the insider risk program must be transparent to the end-user while preserving the user experience.
One component of transparency is understanding what data should not be included in an analysis. For example, behavioral analytics should include users’ successful and attempted logins to access various agency systems or data but should not include data from external personal websites like bank accounts or social media. With granular policy controls, secure ingest streams, and centralized auditing in place, agencies can remain compliant with data privacy industry best practices to collect and examine only authorized information.
In addition to taking such steps to safeguard privacy, it’s also important to communicate those measures directly to employees. Agencies should understand the vision and strategic goals of the insider risk program, what an example of relevant risky behavior (inadvertent or malicious) looks like, and how employees are a critical part of the solution.
To ensure a clear line of communication, agencies should engage employees at all levels to participate in brown bag sessions, town hall meetings, insider risk awareness trainings, and other personnel activities. If employees see there is complete transparency, there’s far less of a chance that the insider risk program will accidentally undermine its own aims by hurting employee trust.
The bottom line
Transitional periods — even those spurred by a desire for greater cybersecurity — tend to increase insider risk. As agencies shift their focus to meet the outlined zero trust requirements, they need to ensure they are proactively mitigating insider risk at the same time. The good news is that these efforts are all pointed in the same general direction. Insider risk management can support zero trust security and, when implemented properly, improve employee trust. The key is to collect, explore and gain insight through behavioral analytics with full transparency – and do so today.
Michael Crouse is director of enterprise user and data protection at Everfox.
It’s more crucial than ever for agencies to mitigate insider risk
Transitional periods — even those spurred by a desire for greater cybersecurity — tend to increase insider risk.
Cybersecurity is paramount for federal agencies, which is precisely why there is so much change on the horizon. To start, federal civilian agencies must adopt at least some level of zero trust architecture by next fall, per the White House Office of Management and Budget. The Defense Department, meanwhile, plans to make zero trust its baseline by 2027. New software supply chain security requirements are also going into effect. Altogether, we’re in a tremendously transitory period for the federal government.
Long term, these changes are savvy to say the least — they will undoubtedly strengthen agencies’ cybersecurity postures against a growing list of threats. In the near term, all the changes taking place have the potential to increase human error, whether inadvertently or maliciously caused by a trusted insider. In addition to planning for the future, agencies must take the proper steps to remediate insider risk today. Let’s take a closer look at what that means in practice.
Understanding insider behavior
Insider risk has always been a top concern for federal agencies, as about 30% of breaches in the public sector are the result of insider activity. With agencies continuing to focus on the adoption of the aforementioned federal cybersecurity guidelines, it’s more critical than ever to mitigate insider risk, especially since pivoting to remote and hybrid work environments in the wake of the pandemic.
The most effective way to reduce the threat of insider risk is through an insider risk management program that enables agencies to collect, explore and utilize behavioral analytics, providing them with insight on how users are interacting with their most critical data. This approach takes advantage of the power of analytics to seamlessly ingest data (structured and unstructured) from multiple data sources, then running in-depth analytics on that data to identify patterns and risky behaviors. Whether an employee starts stockpiling sensitive agency data or accidentally compromises classified information, an agency needs to know what’s at stake and what to do about it.
To that end, a key component of behavioral analytics is the creation of a dynamic risk score for every user at the agency in question. These risk scores are updated in real-time as behavior changes. For example, if a user begins to transfer sensitive data to personal cloud storage, their low risk score will spike to high. Naturally, the risk score is also dependent on a given employee’s level at the company and the sensitivity of the data they have access to. If an action spikes a user’s risk score but is determined to be non-malicious, the risk score will decrease accordingly.
Maintaining employee trust
The mitigation of insider risk must be done carefully, though. If agencies fail to protect employee privacy and maintain a culture of trust, their program may unintentionally worsen insider risk instead of reducing it. When deploying behavioral analytics, for instance, agencies should seek input across the organization and collaborate closely with stakeholders, particularly those in legal and governance, risk and compliance (GRC) functions. Relatedly, the insider risk program must be transparent to the end-user while preserving the user experience.
One component of transparency is understanding what data should not be included in an analysis. For example, behavioral analytics should include users’ successful and attempted logins to access various agency systems or data but should not include data from external personal websites like bank accounts or social media. With granular policy controls, secure ingest streams, and centralized auditing in place, agencies can remain compliant with data privacy industry best practices to collect and examine only authorized information.
In addition to taking such steps to safeguard privacy, it’s also important to communicate those measures directly to employees. Agencies should understand the vision and strategic goals of the insider risk program, what an example of relevant risky behavior (inadvertent or malicious) looks like, and how employees are a critical part of the solution.
To ensure a clear line of communication, agencies should engage employees at all levels to participate in brown bag sessions, town hall meetings, insider risk awareness trainings, and other personnel activities. If employees see there is complete transparency, there’s far less of a chance that the insider risk program will accidentally undermine its own aims by hurting employee trust.
The bottom line
Transitional periods — even those spurred by a desire for greater cybersecurity — tend to increase insider risk. As agencies shift their focus to meet the outlined zero trust requirements, they need to ensure they are proactively mitigating insider risk at the same time. The good news is that these efforts are all pointed in the same general direction. Insider risk management can support zero trust security and, when implemented properly, improve employee trust. The key is to collect, explore and gain insight through behavioral analytics with full transparency – and do so today.
Michael Crouse is director of enterprise user and data protection at Everfox.
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Related Stories
Can cybersecurity platforms deliver innovation for government agencies?
Get ready for that proposed rule on defense contractor cybersecurity
NIST finalizes Cybersecurity Framework updates