Clickability tracking pixel

Five Ways to Address Insider Cybersecurity Threats

Security chiefs spend a lot of time thinking about how to fend off attacks that come from outside their own systems, but threats from inside organizations can be just as devastating if the right measures aren’t in place.

by / April/May

Do you see more online threats from outside or inside your organization?

I’ve asked gov tech executives that question for more than a decade, and answers have been all over the map. But lately, there is often a greater fear of insider threats.

The reasons vary. Nevertheless, security teams often feel more confident in their ability to stop external hackers than they do at detecting and responding to internal network anomalies or addressing the online (and related offline) actions of their own staff.    

In January, William Evanina, director of the National Counterintelligence and Security Center, told a gathering of cybersecurity professionals that insider threats posed the greatest risk for Americans. “We had a horrible year last year ...” he said, “with indictments, arrests, convictions of clearance-holders as well as arrests, indictments, convictions of nontraditional collectors in the private sector — theft of intellectual property and trade secrets. It was not a good year for industry or the government.”

Insider threat impacts can include theft or loss of mission-critical data, downtime of organizational productivity, damage to equipment and other assets, cost to detect and remediate systems and core business processes, and legal and regulatory impact, including litigation defense cost and lost confidence and trust among key stakeholders.

Meanwhile, the overall financial costs of insider threats keep skyrocketing.

The Ponemon Institute announced this year that the global average cost of an insider threat is $11.45 million. Also, the frequency of insider incidents has tripled since 2016 from one to 3.2 per organization, and the 204 large organizations (with a staff over 1,000) surveyed experienced a total of 4,716 insider incidents over the past year. 

So what can be done? Here are five steps to help:

1. Do your homework — again. Examine the latest insider threat reports on current cyberthreat trends. Relearn the latest categories of insider threats like malicious insiders, employee and contractor negligence, and imposter risk (credential theft). Study your current policies, procedures and controls in place to mitigate these risks on issues ranging from background checks to access controls. Are they truly working? For example, check to see if security logs and alerts are processed or ignored.

2. Know where your data is. A good understanding of your data “crown jewels” is essential. Is sensitive data stored on mobile devices or desktop PCs? Or is it truly contained within protected mission-critical databases? 

3. Refresh data access control lists. Who has access to this sensitive data? Again, recheck separation of duties and privileged account lists to ensure that they are updated for entering and exiting employees. Ensure that staff who have changed roles have unneeded access removed. 

4. Consider the new generation of monitoring tools. Are your data loss prevention tools working? Is data leaking into the cloud via social media or personal email accounts? Have you considered a cloud access security broker? Keep in mind that privileged access management is the second-most underused tool and activity used to reduce insider threats.

5. Enable the “good guys” by training staff. Everyone wants to find the bad apples in your organization. But paradoxically, one way to do that is to spend more time training and communicating with the good apples. Provide security awareness training and show staff what to watch out for. Think about people, process and technology risks. Security and technology teams cannot be everywhere, but if most staff are well-trained and know what to do, they will find and report bad apples (and phish). 

In 2004, when I was Michigan’s CISO, we ran our first penetration tests from both inside and outside our state computer network. While the outside tests found serious Web vulnerabilities, the tests run inside, with the same account privileges as a student intern, succeeded in getting (unauthorized) access to the crown jewels. Ignoring insider threats is a mistake. 

Looking for the latest gov tech news as it happens? Subscribe to GT newsletters.

Dan Lohrmann Chief Security Officer & Chief Strategist at Security Mentor Inc.

Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.

During his distinguished career, he has served global organizations in the public and private sectors in a variety of executive leadership capacities, receiving numerous national awards including: CSO of the Year, Public Official of the Year and Computerworld Premier 100 IT Leader.
Lohrmann led Michigan government’s cybersecurity and technology infrastructure teams from May 2002 to August 2014, including enterprisewide Chief Security Officer (CSO), Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) roles in Michigan.

He currently serves as the Chief Security Officer (CSO) and Chief Strategist for Security Mentor Inc. He is leading the development and implementation of Security Mentor’s industry-leading cyber training, consulting and workshops for end users, managers and executives in the public and private sectors. He has advised senior leaders at the White House, National Governors Association (NGA), National Association of State CIOs (NASCIO), U.S. Department of Homeland Security (DHS), federal, state and local government agencies, Fortune 500 companies, small businesses and nonprofit institutions.

He has more than 30 years of experience in the computer industry, beginning his career with the National Security Agency. He worked for three years in England as a senior network engineer for Lockheed Martin (formerly Loral Aerospace) and for four years as a technical director for ManTech International in a US/UK military facility.

Lohrmann is the author of two books: Virtual Integrity: Faithfully Navigating the Brave New Web and BYOD for You: The Guide to Bring Your Own Device to Work. He has been a keynote speaker at global security and technology conferences from South Africa to Dubai and from Washington, D.C., to Moscow.

He holds a master's degree in computer science (CS) from Johns Hopkins University in Baltimore, and a bachelor's degree in CS from Valparaiso University in Indiana.

Follow Lohrmann on Twitter at: @govcso
 

Platforms & Programs