Analysts and statisticians during World War 2 often analyzed the aircrafts that returned from war.
While some experts preferred to reinforce the places that had been shot, the experts who prevailed in the debate preferred to fortify specific non-damaged locations.
The evidence showed that particular regions missing the bullet holes were the areas that, when shot, caused planes to go down. The conclusion was that the bullet holes of the planes that returned proved that certain areas could be hit and still allow the jet to return.
This is known as Survival Bias, referring to the tendency to examine survivors rather than those who do not survive. The same principle can be applied to information security. Instead of applying security controls where we wish them to be or are most afraid, what’s more important is to take note of the real risks that confront an organization and optimize accordingly.
What is Insider Threat?
According to Verizon’s 2022 DBIR, 82% of breaches involve “the human element.” This isn’t an insider threat alone, but the main point is that humans cause most breaches. So, security should focus on the people problem.
One of these human factors is insider threat.
But what is that?
According to CISA, an insider is “any person who has or had authorized access to or knowledge of an organization’s resources…”
As mentioned here, “For many enterprises, the biggest risks to their data and intellectual property come from trusted insiders such as employees, partners, and contractors.“
Insider threat, aka insider Risk, is presented by anyone with approved access to a company’s assets. These threats and risks are, therefore, always present.
Is there any way around this risk? An old proverb says, ‘where there are no oxen, the stable is clean.” If you don’t want any insider threats, don’t have any people involved. Given this, there’s always an insider threat.
Types of Insider Threats
While there are many ways to present the categories and subcategories, I’ll narrow it down to two main groups of insider threats:
● Malicious (e.g., Privilege Abuse)
● Error (e.g., deletion of important files)
Motivations such as financial gain or vengeance are factors, but we won’t focus on that here.
We all make mistakes. For example, the risk of insider error in Healthcare is 2.5 times greater than maliciousness. Whatever the error, actions such as misclicks, an email inadvertently sent to the wrong person, or even a VM accidentally deleted, and in whatever the industry, one of the primary protections against error and maliciousness is a solid backup and restore process.
While error is statistically more common in some industries, an organization’s primary activity is performing its own risk analysis (you’re not just a statistic, right?). Whether through error or malicious actions, results such as deleted files, sending private emails to the wrong people, and botched software deployments can make for bad times for a company and must be included in the risk analysis.
What an insider threat looks like in real life
In 2021, two GE (General Electric) employees were fined and sentenced to federal prison for stealing trade secrets from GE from 2008 to 2019. They used the stolen data to create their own competing company. The data was leaked primarily through uploads to private repositories and personal email addresses.
In 2022, 1.5 million files were exposed via an unsecured S3 bucket. These were the PII of airport workers, including photo IDs, and this is an example of a security misconfiguration, which is #5 on the OWASP Top Ten issues.
Cost of Insider Threat
Because of all the factors involved, e.g., amount and type of data breached, legal and regulatory fines, public recompense, lost revenue, and reputation - it’s not possible to give one average to rule them all. But according to IBM’s “Cost of a Data Breach Full Report 2022,” the combined average of some leading insider threat activities – phishing, malicious, accidental data loss, and cloud misconfiguration – totals over 17 million USD.
What can be done to mitigate the risk?
Gene Spafford, renowned professor, and computer security expert, famously quipped:
“The only truly secure system is one that is powered off, cast in a block of concrete, and sealed in a lead-lined room with armed guards - and even then, I have my doubts.”
The best way to secure a building is to lock it up, so no one gets in. The only way to make a boat go faster is to get it out of the friction of the water. The hypothetical list goes on and on, but we know it can’t be done those ways. Appropriate action that balances protection and productivity is to be taken by those who have calculated the risk.
When calculating risk, the usual formula is risk = threat x vulnerability. If you want something more complex, you could also use Risk = threat x vulnerability x information value – but we’ll keep it simpler for now.
Security Controls
Here are a few ideas for implementing the proper administrative, technical, and physical safeguards to reduce insider threats.
Attitude
The attitude must avoid treating employees like criminals while protecting the business from destructive actions. This includes thinking Left of Boom. This also called left of Bang, is a military term that means mitigating and hopefully stopping risks and threats by thinking ahead and planning, preparing, & training accordingly. It could be considered Shift-Left in SDLC and Incident Response policies and procedures.
Leadership
SecurityIntelligence notes, "Leaders must fully buy into the importance of cybersecurity; only then will they make the business decisions necessary to protect the organization." Leadership – which goes beyond the title to include influence – needs to understand and take action on the need for proper cybersecurity initiatives and implementations. Business leadership provides much-needed direction and funding.
Technical Controls
Even though we’re talking about people, solutions must include technology to keep up with the pace 24/7/365. The chosen technologies must, at minimum, provide analytics that are data-aware and intelligent, with better options, including capabilities such as behavior detection and real-time actions.
Orientation toward results
Insider threat is a reality, but so are ways to prevent and mitigate it. What’s your next step in protecting your organization? Anything is progress.