The following blog post is an excerpt from a recent GovLoop guide: Your Cybersecurity Crash Course. We solicited the GovLoop community to learn their top cyber challenges and the report, we answer 12 of their most pressing cyber questions.
Insider threats can have severe consequences, with victim organizations facing significant costs and damages. According to the FBI, the average cost per incident is $412,000, with victims losing an average of $15 million a year. Although most agencies primarily focus on external cyber threats, it is crucial to also prepare and combat insider threats. The U.S. Computer Emergency Response Team (CERT) defines an insider threat as:
A current or former employee, contractor, or other business partner who has or had authorized access to an organization’s network, system, or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization’s information or information systems.
Insider threats are not necessarily hackers and they often don’t start with malicious intent. Usually a trigger event — such as a denied vacation or being bypassed for a raise or promotion — initiates the threat. What’s more striking, the CERT Division of the Software Engineering Institute (SEI) at Carnegie Mellon University found that 90 percent of IT saboteurs were system administrators. Despite this, most security tools are designed with hackers in mind, but they’re not always the real threat.
For a more overarching, office-wide approach, Patrick Reidy, former chief information security officer at the FBI, offers three pieces of advice regarding insider threats:
- A good insider threat program should focus on deterrence, not detection. An employee’s work environment, regardless of job function, should discourage insiders by crowdsourcing security and deploying data-centric, not system-centric, security. By creating a data-centric approach, organizations can monitor how data moves across an agency and block certain actions from occurring. This gives a more holistic view of data, rather than just simply monitoring a workstation or specific network systems. This helps create an environment where it is difficult to become an “insider.”
- Avoid the data overload problem. In security efforts, do not get overwhelmed with data. Reidy proposes that only two sources of data are needed: HR data to better understand employees and workplace or personnel issues and system logs to track what is being printed or downloaded via USB, CD or DVD.
- Detection of insider threats must use behavior-based techniques. Detecting insider threats is very hard, like looking for “a needle in a stack of needles,” Reidy said. By using behavioral analytics, agencies can build a baseline of behavior and look for red flags — anomalies that differentiate potential insiders from innocuous employees.
The CERT Division of SEI also provides 10 best practices to prevent and combat insider threats:
- Institute periodic enterprise-wide risk assessments and security awareness training for all employees.
- Implement strict password and account management policies and practices.
- Log, monitor and audit employee online actions, especially unusually large queries, downloads, print jobs or e-mails, or other suspicious behavior.
- Use extra caution with system administrators and privileged users.
- Collect and save data for use in investigations.
- Implement secure backup and recovery processes.
- Clearly document insider threat controls.
- Provide an Employee Assistance Program or other recourse for employees experiencing personal problems.
- Deactivate computer access and change passwords for all accounts upon termination, including external accounts.
- Train management on the patterns of behavior that could indicate an IT sabotage attack.
Insider threats present potentially catastrophic risks for all organizations, no matter what sector. But preparation, awareness, training, periodic assessments and the implementation of security measures and strategies can decrease an organization’s vulnerability.
To learn more about cybersecurity, be sure to check out the report: Your Cybersecurity Crash Course