The world has changed. The Internet has allowed organizations to be more connected with employees, contractors and business partners than ever before. The modern-day business processes of remote access and increased communication leave organizations more vulnerable to attack. Many organizations have hardened defenses against outside hackers but have ignored the threat posed by their own employees and business partners. The insider threat has grown exponentially.
Whether corporations, governments, private entities, health care providers or others, insider threat is an increasing problem for every organization. In the past, insider threats mostly targeted payment functions by a lone trusted employee. But today, organizations are collecting more day-to-day information without realizing the liability this information may pose. With the monumental increase in storage, the risk of data exposure or the holding of information for ransom has significantly increased.
We tend to have trust in our fellow employees, contractors and business partners that we work closely with because we share the same mission and goals. We expect everybody in the organization to be trustworthy. We don’t expect fellow employees to deliberately do disloyal acts that harm our organization. We expect betrayal from enemies, not from our peers. Motivations have expanded from simple greed to feelings of injustice, revenge, entitlement, attention, validation or to hiding poor performance.
According to a study by IBM X-Force® Research2016: Cyber Security Intelligence Index, insider threats account for more than 60 percent of all intrusions. The attacks are becoming more and more sophisticated because insiders have intimate knowledge of their organization’s controls and weaknesses. Improper activities performed by rogue employees or contractors can be difficult to detect and often can circumvent controls designed to catch them. Most violations are not discovered until sometime long after the incident took place. The disaffected insiders can completely shut down operations or can simply impede an organization from accomplishing its mission. Insiders can cause financial loss or public exposures of sensitive information that places customers or business partners at risk.
Insight by the Anomali: Justice Department, DODIN, DHS and IT-ISAC explore cyber threat intelligence in this free webinar.
In the case with government agencies, insider attacks can place citizens or the nation as a whole at risk. The two most famous insiders are Edward Snowden and Chelsea Manning. They caused havoc for U.S. foreign and domestic policy and strained relationships with our allies. Nonetheless, our awareness of tech savvy insider threats is in its infancy.
It is also apparent from the Office of Personal Management’s (OPM) breach of 21.5 million people’s background and personal information that a compromise of an operational system can have grave consequences. Rep. Jim Langevin (D-R.I.) stated, “One of the things I was really upset about with the OPM breach is the director of the agency clearly didn’t understand the value of the data they were charged with protecting.”
In 2011, President Barack Obama issued an executive order for all agencies to develop an insider threat program for classified systems. Of course, classified systems need the strongest protections, but there are no executive orders or regulations that require insider programs for non-classified systems. Many non-classified e-mail, document and business systems store valuable information that should have strong protection. Many e-mail, document and business systems configurations have not been hardened since these systems were installed and have not been reevaluated for the new insider threats that exist in today’s world.
Of course, classified systems need protecting but non-classified systems such as e-mail, documents, business and operational systems deserve similar protection. Agencies must clearly understand the value of the data they are charged with protecting. They must re-evaluate the risk to these systems to determine how they can be misused or exploited.
As a start, agencies must clearly document and consistently enforce policies and controls, enforce separation of duties and least privilege, implement access restrictions and monitoring capabilities for privileged users.
Security is a dynamic discipline which changes quickly to address new threats. The security boundary has expended to outside your physical walls, to teleworkers and to third-party providers. The demand for Internet access is increasing for employees and contractor need to access to Gmail, Facebook, Instagram job-posting, Craigslist and shopping sites, etc. Agencies must stay vigilant, patch promptly, decommission unsupported software, segment networks, and white and black listing software.
There are some fundamental controls that can be implemented to help to reduce the risk of insider threats:
This increase in insider threats must be met with an increase in the vigilance of our security. If you have not re-evaluated your protection of your e-mail, document and business system in the last two years, you are at a greater risk.
George Fallon CPA, CISA, CGFM is retired partner from CliftonLarsonAllen with 30 years of experience in IT auditing of large complex agencies.