Agencies and private-sector companies invest considerable resources defending themselves against external cyber threats, but insider threats pose just as great a threat to these organizations if they don’t have a strategy in place to defend against them.
In response to this threat, Brian Harrell, the assistant director for infrastructure security at the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, said the agency expects to release an insider threat guidebook for the private sector next month.
“There’s no doubt in my mind that today we have individuals at work within our organizations that have the institutional knowledge as to how to bring us to our knees,” Harrell said at CISA’s Cyber Summit last month.
While DHS will soon roll out this insider threat roadmap for industry, security experts have said major organizations should already have an insider threat plan in place.
Randy Trzeciak, the director of the Insider Threat Center at Carnegie Mellon University’s Software Engineering Institute, said an agency or industry insider threat program should start with identifying an organization’s critical assets – in other words, identifying what technologies, facilities and people need the most protection.
Drilling down into those details, organizations can assign different levels of risk to traditional full-time employees, part-time employees, subcontractors, trusted business partners, cloud service providers, supply chain providers and other entities with authorized access to critical assets.
“You have insiders that have been granted authorized access, and your goal should be to prevent, detect, and to respond as efficiently as possible to insider threats to those critical assets,” Trzeciak said.
Mark Weatherford, a global information security strategist for Booking Holdings, said identity management plays a key role in curbing insider threats, and allows organizations to detect when a user attempts to access facilities or networks that they wouldn’t ordinarily access during the course of their workday.
“It’s really about giving the right person the right access to the right things at the right time, and we have technologies today that allow us to do this with a very low lift,” Weatherford said.
Cathy Lanier, the Chief Security Officer for the National Football League and former chief of D.C.’s Metropolitan Police Department, said her current role requires her to take a converged approach to insider threats by bringing together physical security and cybersecurity personnel.
“The cybersecurity folks all want to use tools. The physical security folks all just want to go after and hunt down the bad guy. And what we want them all to do collectively is proactively prevent the bad guy from getting to us to begin with,” Lanier said.
Frank Cilluffo, the director of Auburn University’s McCrary Institute for Cyber and Critical Infrastructure Security, said the risk agencies and industry face from insider threats can’t be overestimated.
“The greatest breaches of the past decade have been insider threats, more so than externally driven threats … the trusted insider has caused more harm to our national security from a theft of information and an intelligence perspective than anyone on the outside has,” Cilluffo said.
Stan Partlow, the vice president and chief security officer at American Electric Power, said managing insider threats is a matter of preparing for when — not if — it happens.
“The idea of preventing this is the proverbial unicorn. We’re not going to prevent it, because we allow these folks to have access to all of these areas. It’s the most difficult challenge that any organization can face, because they’re trusted,” Partlow said.
While cybersecurity plays a significant role in any insider threat program, Trzeciak said leadership from other parts of the organization also needs to play a role.
“Information technology has a seat at the table, but equally important are other parts to the organization … human resources, personnel security, your general counsel within your organization. Physical security should be involved as well, as well as the other key stakeholders to really integrate this into your enterprise-wide risk program,” Trzeciak said.