Categories
Article

Snapshot of INSIDER THREATS Within The Healthcare Sector

Snapshot of INSIDER THREATS Within The Healthcare Sector

As we know, Insider Threat affects both the public and private organisations. Insider threats are one of the biggest security challenges that the Healthcare industry faces. In fact, in a recent Forbes article, it indicated that 58% of healthcare systems breach attempts involve inside actors, which makes this the leading industry for insider threats today.

One of the most compelling insights is how quickly healthcare is becoming a digitally driven business with strong growth potential. However, what’s holding its growth back, is how porous healthcare digital security is. Not to mention the sheer confidential, sensitive and highly valuable information that these organisations possess, makes it easy for a clumsy or a malicious insider to compromise security and potentially cause massive harm.

Forbes went on to say that around 66% of internal and external actors are abusing privileged access credentials to access databases and exfiltrate proprietary information.

Insider Threat Example

A former Dallas Hospital guard built a botnet, using the hospital network, to attack rival hacking groups. The individual was eventually caught after he filmed himself staging an “infiltration” of the hospital network and then posted it on YouTube for public viewing. The video clearly shows the individual using a specific key to “infiltrate” the hospital, which revealed his identity as Jesse McGraw, a night security guard of the building. The investigation revealed that McGraw had downloaded malware on dozens of machines, including nursing stations with patient records. Additionally, he installed a backdoor in the HVAC unit, which, if failed, would have caused damage to drugs and medicines and affected hospital patients during the hot Texas summer. McGraw pled guilty to computer tampering charges and is serving a 9-year sentence in addition to paying $31,000 in fines.

Overview of Insider Threats Within The Healthcare Sector

The CERT Insider Threat Centre (NITC) contains over 2,000 insider threat incidents which is used as a foundation for their empirical research and analysis in this article. In total, CERT identified 88 malicious insider incidents mapped to 91 healthcare organisations that were directly victimised in the attack. Of the victim organisations, Health Network make up the largest subsector. These are the networks of hospitals and medical centres that are dedicated in bringing healthcare to specific regions.

Interestingly, 20 victim organisations indirectly employed the insider in some sort of trusted business partner relationship or non-regular full-time employment (e.g. contractors).

As the chart below shows that Fraud is the most frequent insider threat incident type accounting for about 76% of all incidents. Within these fraud cases, we generally see individuals with access to patient payment records taking advantage of their access to customer/patient data to create fraudulent assets such as credit cards in order to make a profit.

Insider Fraud Incidents
  • Who?
    • 64.3% of the healthcare fraudsters began their malicious activities within their first five year of working for the organisation;
    • 72.8% misused their authorised access (e.g. Privilege account or PII data access);
  • What?
    • Around 52.7% of fraud incidents within the healthcare sector involved the theft of customer data;
    • Around 37.5% of incidents directly targeted financial assets;
    • Around 94.9% of personal identifiable information (PII) that was stolen, was customer data;
  • When?
    • For incidents where attack was known, around 70% involved insider activity during business hours. The other 30% of incidents took place both during work hours and outside work hours;
  • Where?
    • Around 72.7% of incidents took place on site when attack location was known;
    • Around 23.6% involved both onsite and remote activity;
  • How?
    • Most incidents used rudimentary techniques.
      • 25.8% of insider incidents either received and/or
      • 24.2 transferred funds and/or abused privileges;
    • Around 36.4% the insider tried to conceal their activity in some manner such as modifying the log files, using a compromised account or creating an alias;
  • Why?
    • Around 84.8% committed insider Fraud because their motivation was financial gain.

Suggested Mitigation Strategies

Healthcare information security should be the outmost importance for the organisation. Although identity theft is the most common misuse of patient data, patients can face severe, permanent consequences from medical record misuse, alteration, or destruction.

To better protect your healthcare organisations from insider threats incidents, here are some best practices that I suggest that you adopt:

  • Mitigation protection for fraud related crimes starts with better screening and identification of employees at hiring;
  • Some insiders accumulate excessive privileges that enable then to carry out their crime. It is therefore important that you carefully control and audit roles;
  • If possible, enforce separation of duties with all of your critical processes;
  • A monitoring strategy for fraud should include monitoring access and data modification. May also include frequent random auditing on critical information fields;
  • Utilise user activity monitoring solutions to identify online user activities that can be used to detect fraudulent activities;
  • Encourage employees to recognise and report on suspicious behaviour including outside facilitations;
  • Develop an employee assistance program that includes financial counselling.
Categories
Article

Is “Intention” Positive Or Negative Behaviour?

Is “Intention” Positive Or Negative Behaviour?

Gain Understanding Of How INTENTION Can Impact Your Organisation's Risk

“Organisations are no longer built on force, but on trust”

– Peter Drucker

What’s the difference between Intent vs Agenda?

  • “Agenda” can be thought of as a temporary organised plan for matters to be attended; and
  • “Intent” can be thought of as a course of action that a person intends to follow.

Intent matters! It is vital to trust! It’s critical to organisations!

While we tend to judge ourselves by our intent, we tend to judge others by their behaviour.

Intent, by and large, is drawn of the following process:

Intent in the purpose of why you are doing something.

Motive is the reason for doing something

Agenda grows out of motive. It’s what you intend to do or promote because of your motive.

Behaviour is the manifestation of motive and agenda.

Actions are the manifestation of your behaviour. It will symbolise the activities you follow based on your intention.

Outcome will be the result of your actions, whether positive or negative.

Let me ask you two questions.

  • What do you think is the most trusted institution in society? Government? Non-profits? The media? Large companies? According to a new global survey from public relations firm Edelman, the answer is business.
  • Now, what do you think is the most mistrusted institution in society? The answer is government. Are you surprised?

According to a global survey from public relations firm Edelman, 80% of people expect their employers to act on significant social issues like climate change, racism and vaccine hesitancy. In addition, the survey found that people think business outperforms government on a range of social issues: healthcare, inequality, jobs, climate change.  

There is a severe disillusionment with the government to solve significant problems.

The impact of intent issues on trust is dramatic.

A person with integrity, capability and results but with poor intent would be someone who is honest and performs well but whose motive is suspect. For example, perhaps this person wants to win at any cost. But generally, people will sense such behaviour and will not extend their complete trust.

On the other hand, a person with good intentions but without integrity, capability and results is a caring person who is dishonest or cowardly.

Leading with intention

“Intention” is often referred to as a mental state representing a commitment to carry out an action or actions in the future.

It provides the fuel required to act. It’s the “why” and the reason for committing to something.

If you operate with intention in the workplace, you will find people are helpful, understanding, engaged and most likely motivated in the actions you are looking to execute.

However, if you operate without intention, it will undoubtedly prevent you from getting the results for you and your team.

In leadership, the more intentional your behaviour, the more likely those around you will respect and follow your lead. Likewise, when they know the why behind your request, they are more willing to come along.

Negative intention

Douglas McGregor was a leadership expert who touted the value of “Theory Y” in which you assume good intentions and believe people want to do a good job.

This is certainly accurate for most leaders. While some leaders may not be extraordinarily effective, most of them don’t wake up in the morning seeking to be anything but their best.

However, things can go wrong, and a positive characteristic can become an unhappy reality for a leader’s employees.

Often that negativity can manifest in snap judgments, the blame game, and erroneous assumptions about co-workers, especially intense and stressful situations.

Let me ask you the following – Does your organisation have good intentions? Do you have a culture of caring for one another? For your work? For your clients? For your partners?

If you feel your organisation is deficient above, the following questions might provide an insight into the problem.

  • Are people manipulative?
  • Are people withholding information?
  • Are people seeking credit where credit is not due?
  • Are people spinning the truth?
  • Are ideas being suppressed?
  • Are mistakes being covered?
  • Are there lots of fingers pointing at others for blame?
  • Are there numerous meetings after meetings?
  • Are people overpromising and underdelivering?
  • Are people pretending that bad things are not happening?
  • Are people disagreeing or arguing for the sake of it?
  • Do management and executive have a different set of rules?

We know that good culture isn’t founded on ping-pong tables or free beers. Instead, it’s based on mutual respect and values.

Unfortunately, the behaviour of a single person’s behaviour can have a serious detrimental and negative effect on the entire business, especially if it comes from the CEO of the organisation.

Positive intention

But what if I told you that the underlying behaviour of someone with negative intention has a positive intention?

There is a reason why people do what they do. Their behaviour is not random.

Have you thought of the following – why do people steal? What do people commit fraud? Why do people commit crimes that cause such harm to their organisation that it may be forced to shut down?

For every negative behaviour, there is a positive intention behind that behaviour.

Whilst the behaviour itself may be negative or unresourceful, the intention is to meet one of their core emotional needs.

When emotional needs are empty, they need to be filled for us to feel good. So, some use chocolate chip cookies. Some gamble online. Some do drugs. All these offer a quick fix but can also have negative consequences on others and ourselves.

If you observe a colleague at work and this person is bullying and harassing other colleagues, they are unconsciously aiming to meet their own emotional needs.

Rather than thinking that this person is rude, aggressive or obnoxious, try asking yourself under what extreme circumstances you feel it necessary to behave in the same way? Once you look at it through this lens, you might begin to see things differently.

Malicious Insider vs accidental vs cyber attacker

What is the difference?

Intention!

  • Malicious insider – Intentionally exceeded or misused access that negatively harms the organisation’s critical assets.
  • Accidental insider – Through their action/inaction without malicious intent that causes on the organisation critical assets

Yet, many organisations feel they have to choose between protection from outsiders versus insiders.

Keep in mind that once an outsider (with intent) gets in, there is a good chance they will perform the same types of malicious acts as malicious insiders, for example:

  • Plant malicious code or logic bomb
  • Create backdoor account
  • Exfiltrate intellectual property or other proprietary information

Insider threat is a behaviour pattern

Sometimes managers overlook the red flags (negative intention behaviour) out of concern for the bottom line or fear that it may cause the team, themselves, or their organisation.

However, a vigilant workforce (with positive intention) is an excellent defence and can usually recognise and report red flag behaviours no matter how hard insides may try and cover their tracks.

Categories
Article

Tackling The Human Factor In Security

Tackling The Human Factor In Security

How Employees Behaviour Are Making Businesses Vulnerable From Within

 “I don’t know how to exist before 9 A.M., and without coffee, I’m not classified as a human. Actually, I could be regarded as a threat.”

– Katie Findlay

What is harder to control people or systems?

You can control systems as they are reasonably predictable, people – less so.

If there is a problem with the door not closing, you can either fix it or replace it. However, if someone continues to slam the door, you will have difficulty changing that person’s behaviour.

We are very aware that the biggest threat in any organisation comes from employees even when they are not behaving maliciously.

This means CEO’s and other executives can no longer hide in the shadows from such risks.

Part of the CEO role is to manage organisation risk, which means that ultimate responsibility for insider threats and cyber threats must lie with the CEO.

Unfortunately, the CEO cannot pass the responsibility onto someone else domain, like the chief information security officer (CISO), should they experience a data breach.

Today, it’s understood that a significant data breach will ruin the bottom line and pose enormous risks to a company’s brand, reputation, stock price, and how it’s perceived by customers, partners, and even its employees.

For many organisations, protecting their high-value assets has long been considered something of a “tick and flick”. But, unfortunately, that won’t do. Being compliant does not mean security. It does not mean that you are safe.

Compliancy is like having the license to drive cars, but it does not mean you are a good driver. Hence, we have road rules, speeding, and red-light cameras to remind us to drive safely.

This mindset concerns itself more with meeting a regulator’s approval than it does in determining what’s best for a company’s well-being and overall success. Yet many CEOs feel this is enough and rest easy over issues of cybersecurity simply for this reason.

If top executives don’t properly address the potential risk a data breach could have on their organisations, they could soon be shown the door.

Examples:

  • Target – The retail giant infamous data breach in 2013 led to the payment card information of 40 million consumers. CEO Gregg Steinhafel and several other executives resigned.
  • Sony Pictures – it was revealed in 2014 that hackers leaked upcoming film releases, employee information and personal emails from Sony Pictures. Co-Chairman Amy Pascal.
  • Equifax – 145 million people, had their personal information exposed, including names, birth dates, addresses, driver’s license numbers and social security numbers. It wasn’t a huge surprise then that CEO Richard Smith was forced to resign.

Cyber security and insider risk management is not IT problem. It’s a business performance issue.

Since we realise that people are the biggest threat to an organisation, let me ask you the following question…why do people do what they do rather than what they are supposed to do?

Clearly, human beings are not machines!

What makes a person with a “good background” behave appallingly towards their colleagues, while another employee with “little resource” is extremely helpful and accommodating?

One thing is clear, humans are not random creatures. All actions that people take, they take for a specific reason.

The Theory of Planned Behaviour predicts an individual’s intention to engage in a behaviour. It provides an understanding of why a person carries out any behaviour.

The performance of a behaviour is determined by the individual’s intention to engage in it (influenced by the value the individual places on the behaviour, the ease with which it can be performed and the views of significant others) and the perception that the behaviour is within their control.

Let’s take the example of locking your workstation screen policy when leaving your desk. We all know that we should do this, but some don’t. The question is, why?

According to the theory of planned behaviour, it could be several reasons:

  • Behavioural attitude – Some may feel that they don’t like locking their computer or it isn’t essential.
  • Subjective norms – Perhaps management or others don’t follow such policies, so they feel they don’t need to adhere to such rules.
  • Perceived behaviour control – Locking a workstation is a “pain” if it is perceived that entering the password is cumbersome.

Yet, there is a more simplistic model to explain why people do what they do. There is a single driving force behind all human behaviour. This force impacts every facet of our lives, from relationships and finances to our bodies and brains – Pain and Pleasure!

Everything you and I do, we do either out of a need to avoid pain or our desire to gain pleasure. This is, for certain, how humans are wired.

 “When a behaviour is easier to do, it is more likely people will do it.”
– Nir Eyal, author of Hooked

 After all, what is procrastination? It’s when you know you should do something, but you still don’t do it. Why not? The answer is simple: At some level, you believe that taking action at this moment would be more painful than just putting it off. Yet, there comes a time that putting something off for so long that suddenly you feel pressure just to do it. What happened? You changed your reference to what you linked to pain and pleasure. Suddenly not taking action became more painful than putting it off.

Let’s take password management. People know that password security is essential and is a good thing. Yet, why do users have poor password hygiene?

Pain:

  • They have to create complex and lengthy passwords for every application connection. It’s cumbersome and time consuming.
  • It’s difficult to remember a single complex password, let alone several of them.
  • Having to change passwords regularly is annoying.

How do users move away from pain?

  • They use simple, easily guessable passwords that are easy to remember, such as 123456, monkey, password, iloveyou, qwerty, abc123
  • They reuse the same passwords for multiple applications

Poor password hygiene persists primarily because we have made it a painful and challenging process. Until that changes, the problem will stay.

 “The human brain is immensely complex and powerful. Yet, though it’s capable of incredible feats, we don’t like to use it more than we have to. Given the choice, we opt for the least mental effort. So, when we can, we tend to go for not what’s most rewarding, but what’s easiest.”
– (Rethinking The Human Factor –  Bruce Hallas)

Let’s take another example… “corporate policies.”

According to research completed by CEB, more than 90% of employees violate policies designed to prevent data breaches.

The question is, why?

Organisations believe that corporate policies will help ensure that employees behave in a certain controllable way.

Policies answer questions about what is the expected behaviour from employees and how non-compliance is dealt with.

Unfortunately, the majority of organisations are unable to enforce corporate policies, and here are the reasons why (pain):

  • Corporate policies are often convoluted, complicated and not translated into a meaningful and useable language.
  • Corporate policies are rarely followed by management and executives.
  • Corporate policies are old, not relevant and haven’t been updated.
  • Corporate policies don’t include strategic relevance and context.
  • Corporate policies aren’t linked to the organisation values.
  • Corporate policies are not effectively and strategically communicated.
  • Those who break corporate policies are rarely reprimanded.

If you were to assume “force” was the only way to bring about the right policy and control behavioural change, then you are mistaken.

Of course, human behaviour is such that if you try to change another behaviour, they naturally resist (pain). That’s because they value their perceived freedom of choice and feel pressured and trapped when things are imposed.

Traditional guidance regarding how to defend against insider threats focuses primarily on negative incentives (pain), which constrain employee behaviour or detect and punish misbehaviour. However, when relied on excessively, it can result in unintended negative consequences that exacerbate the threat. They fail to prevent damage and alienate staff even further.

On the other hand, positive incentives (pleasure) can complement traditional practices by encouraging employees to act in the organisation’s interest by fostering a sense of commitment to the organisation, the work and co-workers.

Instead of solely focusing on making sure employees don’t misbehave, positive incentives create a work environment where employees are internally driven to contribute to the organisation only in positive ways.

Let me ask you a question… why don’t cyber awareness programs work?

Simple answer: There is a disconnect between awareness and behaviour.

For all of the discussions above, it is no longer enough to limit our thinking that our problems will be solved by technical means alone. In the past, we could invest in sophisticated security systems, which was enough to maintain an adequate level of security.

 “With only a hammer as part of the toolbox, we tend to treat every problem as a nail.”
– Bruce Hallas

 No technology can pinpoint with definite certainty that a person is a threat to an organisation. Think about it, no person walks into the office with a red jacket and a sign stuck to their forehead claiming that they are a threat to the organisation.

Organisations are a collection of people who share a common purpose. People within organisations unite to focus their various capabilities and skills toward achieving personal and business goals.

If people are both the problem and the solution, then it seems somewhat perverse that we should try and solve the problem using only technology.

In research conducted by Ponemon Institute, it asked CISO’s what was top of their threat list?

Not technology! Not hackers! Not malware!

But people!

For many CISOs, the “human element” is their overriding concern and yet, as an industry, they still tend to treat weakness in information security as a technology problem.

Categories
Article

The Consequences Of Global Decline In Organisational Trust

The Consequences Of Global Decline In Organisational Trust

The moment there is suspicion about a person’s motives, everything he does becomes tainted

– Mahatma Gandhi

Trust means confidence, certainty and expectation.

When you trust people, you have confidence in them, their integrity and their abilities. When your distrust people, you are suspicious of them. You are suspicious of their agenda, their abilities, their integrity and their capabilities.

In today’s global economy, TRUST is king. Trust is the social underpinning of social behaviour and social reality. Society needs trust providing us with the certainty and confidence of the day-to-day interaction. Without trust, our lives would lead to paralysis of inaction and possible chaos.

You will not step into a plane if you do not trust that specific airline or the pilot’s ability to fly the aircraft safely. You would not drive a car if you had no trust that other drivers did not follow the road rules. You would not invest in an asset if you believed that investment could be lost at any time or you had no control of it. You would not trust a government if you knew that it was acting corrupt and mischievous. You would not trust an organisation if the culture were of toxic nature.

Low trust causes friction, whether it is caused by unethical behaviour or by ethical incompetence behaviour. Low trust is the highest cost in life and the organisation. Low trust creates hidden agendas, politics, conflicts, disagreements and defensive/offensive behaviour. Low trust slows everything, every decision, every communication and every relationship.

Example: A government employee status changed to “deceased”

What happened?  

A government employee changed the status of another employee on a database so that she appeared as “deceased” as a result of an online chat confrontation that got him kicked out of the forum.

The incident was detected when she tried to open a bank account and was informed that she was listed as deceased in the government database.

The insider was convicted, sentenced to one year of probation and fined.

High trust produces stronger relationships, develops loyalty, enhances reputation and yields better results.

In business, trust is like the human blood system, which feeds the necessary body with the oxygen it needs requires. These are often called collaboration, cooperation, empowerment, alliance, partnerships, exchange, and commerce in business. These blood vessels sustain the day-to-day quality-of-life relationships.

As such, trust impacts us 24 x 7 x 365 days a year.

Trust is the critical denominator to all our lives. Should it be removed, it will destroy the most influential leader, the most powerful government, the most successful business, the most thriving economy and the deepest of love. On the other hand, if developed accordingly, it has the potential to create unparalleled success and prosperity in every dimension of life.

Yet, we take TRUST for granted. It is the least understood, most neglected and most underestimated.

It’s a matter of trust…

Every day, your organisation processes business transactions, collect sensitive data and collaborate with partners. To make all this work, the modern enterprise depends on TRUST – trusting employees to not divulge company secrets, trusting partners to not leak customer information and trusting suppliers to protect sensitive data.

When insiders need access to sensitive information and critical systems to do their jobs and service customers, the organisation needs to establish and enforce a level of “faith” associated with that access.

Trusting stakeholders to use their access privileges appropriately and verifying that they do so can be the most critical and complex challenge of dealing with insider threats.

  • Do you trust your colleagues?
  • Do you trust senior management?
  • Do you trust your business partners?

The global deterioration of trust

Over the years, “trust” has become increasingly difficult to attain, starting with events such as the Enron, News Corp, Wells Fargo scandals exacerbated by the global financial crises and failures.

Not surprisingly, employee trust in management is declining across the globe.

There are three significant areas that weaken trust:

  1. Ethics. Ethics is the foundation to trust, but by itself is insufficient. You can’t have trust without ethics, but you can have ethics without trust.
  2. Stress. Stress has become a serious concern for individuals and organisations. Today, the workplace stress level is at an all-time high, and these implications are alarming.
  3. Disposition. The personality characteristics can contribute positively or negatively to the organisation’s welfare and goals. For example, the following diagram depicts a potential employee with a negative disposition that may cause an insider incident.

If you are a frontline employee and don’t believe senior management will do the right thing for you, you probably have no choice but to look after yourself first. When you put your agenda ahead of the organisation, any chance of the business achieving its vision of winning go right down the drain.

The negative consequences of lack of trust are too numerous to list here in the business world. However, the most devastating are trusted insiders committing harm to their organisation high-value assets.

The consequences of an insider committing harm can be substantial, including financial losses, operational impacts, damage to reputation and harm to individuals.

The actions of a single insider have caused damage to organisations ranging from a few lost staff hours to negative publicity and financial damages so extensive that organisations have been forced to lay off employees and even close operations.

Insider incidents have repercussions beyond the victim organisation, disrupting operations or services critical to a specific sector or creating serious risk to public safety and national security

Something to Think About…

If you thought building trust within is challenging, consider the following scenarios:

  • Collusion with outsiders – Insiders can be recruited by or work for outsiders, including organised crime and foreign organisations or governments.
  • Culture difference – Another level of complexity is added by the rapidity of globalisation, which brings people from all corners of the world closer together with different sets of values and cultures. The allowance for other cultures and therefore trusts within the organisation is difficult.
  • Mergers and acquisitions – Insiders from two different organisations with different cultures are forced to unify into a single structure and most often fight for the same role.
  • Foreign allegiances – Organisations operating in foreign countries must consider that insiders will have loyalties to that country.

The Universal Law of cause-effect states for every effect, there is a definite cause. So likewise, for every cause, there is a definite effect also known as “Karma” – the spiritual principle of cause and effect.

A security breach is a breach of trust.

It is the effect that an insider manifests as a direct result of a cause of action (or none), whether it be malicious or unintentional.

Organisations seeking to improve their business trust will need to engender organisation trust.

One thing for sure, critical challenges in our human social behaviour are to re-think how technology’s rapid progress will impact trust. This is especially true as we continue advancing in the realm of remote work and virtual life.

Categories
Article

Why Is Detecting Insider Threats Difficult?

Why Is Detecting Insider Threats Difficult?

Insider threats may be rare within most organisations, but it doesn’t mean that it does not exist.

Yet even those organisations that claim to be highly competent and highly professional have suffered devastating insider incidents.

Insiders can pose many different types of threats.

•    Some simply provide information to individuals outside the organisation.
•    Some might steal from the organisation.
•    Some might decide to sabotage specific parts of the organisation assets
•    Some insiders pose a threat by making mistakes without really intending to do so. And
•    Some loyal insiders are coerced by others in assisting in theft or sabotage.

Motives for insiders in each of these categories vary widely. In general, people can follow many pathways to becoming a risk to their organisation.

Protecting against insider threats is a difficult job for three primary reasons
1.    Organisations want to downplay the risk from insiders as a non-existent threat.
2.    “Secrecy” often surrounds the challenge of mitigating risky employees. Organisations want to keep their “dirty laundry” discrete and not voluntarily share knowledge and experiences.
3.    Having to address the root cause – human behaviour. Organisations know how to fix a “broken” asset. For example, a broken door can be replaced. But someone who regularly slams the door is a different challenge.

But there is a fourth reason…

At the core of the insider mitigation process are the insider “red flags.”

What are “red flags”?
Red flags are potential risk indicators that present themselves at a point of time to the organisation that are typically ignored, misunderstood or overlooked.

Here are some examples:
•    Skipping approval steps.
•    Failing to keep appropriate or accurate records/receipts.
•    Living a lifestyle above their means or lavishing gifts on a colleague
•    Bullying colleagues.
•    Seeking access to areas which they should not be able to access.
•    Consistently seeking loans or advances.
•    Past legal/compliance problems.
•    Addiction problems.
•    Gambling problems.
•    Significant personal stress.
•    Expressing a strong sense of entitlement.
•    Expressing unhappiness with the organisation or management.

Interestingly, we often look back following an incident and immediately recognise clear indicators of abnormal behaviour before the event and unfortunately, it wasn’t reported nor acted.

Example: Bradley Manning Leaking Classified Information

What happened?
Bradley Manning, a 25-year-old US private, downloaded more than 700,000 classified documents from US military servers and passed them to WikiLeaks, which revealed sensitive information about military operations and tactics, including code words and the name of at least one enemy target.

What were the consequences?
Because of the broad scope and overwhelming volume of the WikiLeaks cables, their disclosure cast doubt on the ability of the U.S. government to guarantee the confidentiality of any kind – whether in diplomacy, military operations or intelligence.

What were his concerning behaviours?
Bradley Manning had a long-term history of psychological issues that included gender identity, bullying, physical threats, depression and problems in the military service.

Missed red flags
The Army ignored both Manning’s supervisor’s recommendation to discharge him and psychological advice not to deploy him.

His weapon was taken but not his access after a demotion, a violent episode, and planned discharge.

A deeper investigation might also have revealed statements of his intention to leak information to friends, media contacts, and ongoing communications with known hackers and WikiLeaks.

The reasons for this failure can be found within most organisations.

1.    First, insider threat early warning programs often lack the attention, expertise, funding, incentive programs, information-sharing processes and programmatic approaches necessary to succeed.
2.    Second, organisational cultures often undercut the effectiveness of early warning programs through denial, privacy concerns, lack of accountability and a cognitive bias toward technical cybersecurity.
3.    Third, faulty assumptions such as “it won’t happen here,” “red flags are reported and responded to,” and “people will do the right thing” undermine the process.
4.    Finally, there is “social shirking,” meaning no one wants to be a telltale.  Many people just want to avoid conflict, and some pass the buck on this vital issue.

The following diagram illustrates a timeline showing different behaviour anomaly indicators that can help detect potential threats before experiencing a breach.

•    Non-Technical Behaviour Anomalies indicators that the behaviour of the person has changed or flipped, for example, an otherwise nonaggressive individual becoming aggressive in conversations.

•    User & Policy Behaviour Anomalies indicators of anomalies when connected to the corporate network, for example, spending lots of time accessing social media sites or actions contrary to corporate policies.

•    System & Data Behaviour Anomalies indicators of unusual system and data behaviour, for example, using metadata analysis and other data sources such as network logs, travel reporting, network access times, etc.

There is some good news.

Significant opportunities exist for stopping insider attacks, around which an affordable and effective early warning system can be created.

These opportunities are created by the simple fact that insider attacks are generally not impulsive.

Regardless of the motivation, the insider plans for weeks or even months before action. And no matter how hard they try to cover their tracks, they leave evidence during the slow progression from idea to action.

This evidence is observable. The changes in attitude and behaviour are discernible and detectable.

Categories
Article

The Path to Poor Security Is Paved with Good Intentions

The Path to Poor Security Is Paved with Good Intentions

Most employees are hard-working, engaged, and eager to please in their roles.

Many go out of their way to do their jobs effectively, efficiently and as best as possible.

Yet, therein lies a potential threat. 

How would you respond if you found out that your employees were the most significant contributors to poor security in the workplace? You’ll probably be astounded. 

Employees can often view security policies as roadblocks to their progress. So instead of working with these protocols, many look for shortcuts to bypass them.

In a CEB study, around 90% of workplace policies are being violated by employees.

So why do employees behave in this manner? You’ll be surprised to know that this habit arises from needing to do their job quickly and efficiently.

Often referred to as “the path of least resistance”.

In a result-oriented workplace, employees are usually stressed and pushed to deliver their best. With the pressure of deadlines, meetings and everything else in between, employees start looking for ways that allow them to accomplish their tasks as quickly as possible.  

At the end of the day, they’re producing results, right?

So, they see no harm in the way they are working. However, violation of workplace policies by employees harms the business. It also makes the risk of insider threats becomes higher. 

The person’s intent is good, but the damage that their actions can be severe.

According to the UK Information Commissioners Office (ICO), human error is attributed to over 90% of cyber breaches.

Insider breaches arise because of human errors, but they may also result from wilful negligence or ignorance on the employee’s part. 

Surprisingly, some employees are aware that their actions aren’t authorised. But as long as the work gets done quickly, taking the shortcut is acceptable to them.

And some employees are utterly oblivious to their behaviours and potential actions that most likely place their organisation to risk.

In my experience, most insiders want to do the right thing but fail to do so.

Here are three types of fallible insiders.

  • Careless insiders – Unfortunately, some employees are careless, neglecting to practice even minimal best practices to maintain optimal digital hygiene, which can keep the online environment safe for everyone.  For example, clicking on a Phishing link, opening attachments that are malicious, using weak and the same password for all of their applications.
  • Ignorant insiders – For most employees, cybersecurity and data privacy are not top-of-mind as they execute their day-to-day responsibilities. They don’t truly understand or appreciate the repercussions of a data breach, and they wouldn’t know how to respond to a threat even if they did identify one. No matter how much cyber awareness training that you provide, they will not understand nor comply.
  • Negligent insiders – These are insiders who fail to act correctly despite knowing better. Employees can be negligent when they are overworked. They might also be preoccupied, overly stressed and disengaged because they just don’t like working there. For example, they might send out sensitive information to the wrong email user to a cloud storage provider against corporate policies, simply to complete work from home, or they may send sensitive personal information via email.

Example: IRS employee took home data on 20,000 workers at the agency

What happened?

An IRS employee took a personal thumb drive home which contained the social security numbers, addresses, contact information and other sensitive data of over 20,000 people. This included data of all contractors and current and former workers of IRS. 

Investigation showed that the device was used on the personal home network of the employee, which was not secure and placed the data at risk.

Luckily, the thumb drive was not used for malicious purposes, and no misuse of the data was found.

Even though IRS does have precautions and policies in place, the employee had chosen to overlook them so that they could work at home.

While looking at the intent behind the action helps you understand its motivation, it still doesn’t answer why your employees are making mistakes.

To get to the root of the problem, you have to look for the following signs of employee behaviour in the workplace to understand why they behave the way they do.

Is it because they:

  • Have huge workloads with tight deadlines?
  • Lack of regular policy and procedure training?
  • Have poor environment working conditions?
  • Are bullied and harassed at work?
  • Find work tiresome and boring?
  • Find security practices a hassle and a roadblock to their productivity?
  • Stressed at work?
  • Are they negligent and careless in their behaviour?
  • Find it difficult, confusing and complex to follow organisation policies and controls?
  • Lack of perceived organisation support?
  • Have poor personal habits – alcoholic, drug user, gambler and other forms of predisposition?
  • Have health problems such as sleep difficulties can also cause poor performance at work?

All these actions can significantly influence how the employee performs, act, and conduct themselves.

According to Gallup’s State of The Global Workplace, only 15% of employees are engaged in the workplace.

Employee engagement reflects the involvement and enthusiasm of employees in their work and workplace.

Employees can become engaged when their basic needs are met and when they have a chance to contribute, a sense of belonging, and opportunities to learn and grow.

The high level of employee disengagement is psychologically unattached to their work and organisation. Because their engagement needs are not fully met, they’re putting time but not energy or passion into their work.

Every day, these workers potentially undermine what their engaged co-workers accomplish.

Every day, these workers place their organisation at risk due to their “detachment” to work.

Paying attention to your workforce

Data breaches occur because organisation management and executive are not paying enough attention to the workforce.

It is essential to strike a good balance with your workforce. If they are overworked and stressed, they will look for shortcuts to accomplish their tasks. Beyond that, they will most likely burn out.

In due time, they will most likely leave the organisation. And if it hasn’t already happened, they will cause intentionally or unintentionally security incidents. This scenario is a recipe for disaster.

Question

How are you engaging with your employees? How are you making their job more involved? How are you supporting them? And how do you encourage greater cooperation, trust and teamwork within your organisation?

Categories
Article

Trust Thy Co-Worker

Trust Thy Co-Worker

Our everyday life is much stranger than we imagine and rests on fragile foundations

– Paul Seabright, a professor of economics at the University of Toulouse

Yes, we have grown up with such sayings. But how well do they participate in today’s life and, more importantly, trust our colleagues within our corporation?

Never mind loving our neighbour; many of us don’t even know who they are or who lives next door.

And while we might cherish the idea of living in a warm and welcoming community, it seems that we have a hard time going out of our way for strangers when it comes down to it.

Trust in society has been identified as very beneficial. However, trust is also very susceptible.

In an article titled “Trust Thy Neighbour: Exploring Information Sharing in Anonymous Urban Settings to Support Trust Generation(Peter Conradie, Stephanie Neumann and Jonas Breme article), they state there are two types of support trust:

  1. The first type of trust is built on social identification and external information that aids risk assessment. Familiarity based trust forms as a result of prolonged interaction with others. This type of trust is built through the identification of group similarities. It leads to higher trust between group members.
  2. The second is built on strategic trust, which is based on a calculation of outcomes. Establishing this type of trust depends on referring to past experiences or getting references from others who have already performed similar transactions.

One might think a person is sincere and honest, but you won’t trust them if they can’t get results. This is typically typified by politicians (familiarity). They have an abundance of intent but rarely do they deliver results (strategic).

Politicians rarely “walk their talk”, as the saying goes.

Information technology provides examples of these two types of trust.

For example, eBay ratings are an example of strategic trust being supported through a reputation system. Buyers are given information about sellers to make a strategic assessment of their trustworthiness.

Familiarity based trust generation can be illustrated by users recommending or presenting books and films.

This leads me to the following…What is an organisation?

An organisation is a “social invention” for accomplishing shared goals.

As such, organisations have people who present both opportunities and challenges.

Let me ask you a question…do you trust your boss? Whether or not you trust your boss and management probably has a lot to do with how much you perceive they support you?

But does trusting your boss leave you vulnerable?

Here is an example of where trust was misused and exploited.

Example: Enron Scandal. The Fall of a Wall Street Darling

What happened?

The collapse of Enron, which held more than $60 billion in assets, involved one of the most prominent bankruptcy filings in the history of the United States.

The Enron scandal, revealed in October 2001, eventually led to the bankruptcy of the Enron Corporation. It came about because Enron executives, with the use of accounting loopholes, special purpose entities, and poor financial reporting, were able to hide billions of dollars in debt from failed deals and projects.

The key takeaways for this scandal

  • Enron’s leadership fooled regulators.
  • Enron engaged in fraudulent accounting practices to inflate profits
  • Enron had a toxic culture and suffered from poor leadership.
  • A win at all cost mentality encouraged a culture of unethical and illegal practices

Let me ask you another question… how much do you trust your co-workers or employees?

Would you bet $400,000 on that?

Example: An New Zealand Employee Stole $400,000

What happened?

In a true story, a former employee at a bank in Queenstown, New Zealand, was convicted and imprisoned after being found guilty of stealing more than $400,000 from her then-employer.

Investigators found that she began committing her inside attack against the bank in 2010 and continued until 2013.

Creating sixteen fictional accounts with loans and overdrafts ranging from $12,000 to $120,000.

Altogether, the amount totalled $402,386.

How was she able to steal such a large amount over such a long period without being noticed?

Simply because the bank trusted her implicitly. It was built on:

  1. Familiarity trust – Working with her over time builds trust with her colleagues so they never suspect her deception. And
  2. Strategic trust – She was capable of delivering work outcomes that increased the bank’s trust level.

It seems astounding that an insider breach could go completely undetected by bank authorities and team members at such a scope over an extended period.

Human behaviour risk is one of the least understood and most uncomfortable security issues facing companies today. Yet, 85% of breaches involve the human element, according to the 2021 Verizon Data Breach Investigation Report.

Something to Think About

An organisation should be able to trust its employees. Yet, your most authorised and trusted employees are the ones with the most opportunity to steal.

And detecting a breach of trust is difficult and challenging.

Here’s something to think about…

How are you assessing and verifying your insider trust?

Are you trusting by default?

How do your colleagues and co-workers help in detecting and deterring insider risk?

Categories
Article

Snapshot Of Insider Threats Within Government

Snapshot Of Insider Threats Within Government

“Our problems are man-made. Therefore, they may be solved by man. And man can be a big as he wants. No problem of human destiny is beyond man.”

 – John F. Kennedy

As we know, Insider Threat affects both the public and private organisations.

Insider threats are one of the biggest security challenges that Government face.

The sheer complexity of Government infrastructure and the critical and sensitive value of the information Government possess makes it easy for a clumsy or a malicious insider to compromise security and potentially cause severe damage.

Some of the most significant insider threat incidents took place within Government.

  • Classified documents from Britain’s Defence Ministry containing details about a British warship and Russia’s potential reaction found in a soggy heap at a bus stop (2021)
  • A former intelligence analyst for the US Federal Bureau of Investigation (FBI) has been indicted for stealing confidential files over 13 years (2021). Classified material included documents relating to cybersecurity threats, terrorism, intelligence bulletins, open FBI investigations, human operations, and files describing the “technical capabilities of the FBI against counterintelligence and counterterrorism targets.”
  • Ex NSA worker (Harold Martin III) was charged in august 2016 for stealing 50 terabytes worth of data during two decades.
  • Office of Personnel Management (OPM) breach in June 2015 compromised 21.5 million Government records.
  • In Australia, in 2014–15 an Australian Bureau of Statistics (ABS) officer working at the Bureau’s Canberra headquarters was convicted of offences relating to the unauthorised disclosure of sensitive statistical information. Over nine months, the ABS officer provided an acquaintance in the banking industry with unpublished market-sensitive economic data, which netted approximately $7 million in illegal foreign exchange trades.
  • Edward Snowden, a former contractor for the CIA, was charged in June 2013 by the US Department of Justice with two counts of violating the Espionage Act of 1917 and theft of Government property. It was estimated that he had copied, stolen, or downloaded around 1.7 million NSA documents, according to the Department of Defense.
  • Chelsea Elizabeth Manning (Bradley Edwards Manning) in 2009 and 2010 leaked hundreds of thousands of documents, many of them classified—to WikiLeaks. As a result, she was charged with 22 offences, including aiding the enemy.

The CERT Insider Threat Centre (NITC) contains over 1,500 insider threat incidents used as a foundation for their empirical research and analysis.

Overview of Insider Threats within Federal Government

In total, CERT identified 77 non-espionage insider incidents where a Government agency was both the victim organisation and the direct employer. However, there were 34 additional incidents where an insider incident impacted an agency at another organisation.

By and large, these were incidents where a federal government organisation had employed a consultant or contractor.

The number one most observed Insider Threat incident with Federal Government was Fraud, followed by “Other Misuse”.

Insiders have a significant advantage over external attackers. This is because not only they are aware of the organisation policies, procedures and technology, but they are also often aware of the vulnerabilities.

Insider incidents are inevitable, and at some point, your organisation is likely to be compromised.

While this is unfortunate, it is a reality that must be proactively prepared for if your organisation is to withstand such threats.

Remember, there is no silver bullet in preventing insider threats. Having too many security restrictions can impede an organisation mission, and having too few may permit a security breach.

Fraud Snapshot Analysis

Around 61% of incidents impacting federal organisations involved Fraud. It included issues of fraud, waste, and mismanagement of federal funds.

  • Who?
    • 45.8% of insiders were worked with the organisation for five years or more
    • 69.4% of insiders had an authorised account, and data
    • 89.5% were full-time employees.
  • What?
    • 52.2% of the targets in Fraud incidents were related to personally identifiable information.
  • When?
    • For incidents where the attack was known (27), all involved during business hours. Half of these also involved activity outside work hours. No fraud activities were determined that only took place outside of work hours.
  • Where?
    • Around 97.6% of incidents took place on-site when attack location was known (41);
  • Why?
    • Around 97.8% committed insider Fraud because their motivation was financial gain.

As mentioned, the second most observed Insider Threat incident with Federal Government was “Other Misuse”.

Other Misuse by insiders can be described as those incidents that involve the unauthorised use of organisational devices, networks, and resources that are not better classified as Theft of IP, IT Sabotage, or Fraud.

Examples of Other Misuse include the use of organisational resources for personal benefit (e.g. obtaining access to colleagues’ emails without consent or a proper business purpose) or committing another kind of cyber-related crime (e.g. stalking or purchasing drugs), which in turn violate organisational policies.

Further Analysis

Insiders committing Fraud in Government tended to be in trusted positions and committed the incident during working hours.

The median financial impact was between $75,712 and $317,551, and three fraud incidents had a financial impact greater than $1 million or more.

Final Thoughts

Insiders who commit fraud are usually low-level employees who use authorised access during regular business hours to either steal information or modify information for financial gain. Insider fraud crimes are often long and ongoing and are bad news for the actual organisation.

Stolen information is usually Personable Identifiable Information (PII) such as payroll or other sensitive information, which is then sold to outsiders who commit the actual fraud against the organisation.

Perhaps the most notable feature of insider incidents within the Government was how prevalent incidents of Other Misuse. It is most likely that insiders that committed Other Misuse generally did so in furtherance of an additional crime.

Suggested Mitigation Strategies

  • Mitigation protection for fraud-related crimes starts with better screening and identification of employees at hiring.
  • Some insiders accumulate excessive privileges that enable them to carry out their crimes. It is therefore essential that you carefully control and audit roles.
  • If possible, enforce separation of duties with all of your critical processes.
  • A monitoring strategy for fraud should include monitoring access and data modification. May also include frequent random auditing on critical information fields.
  • Utilise user activity monitoring solutions to identify user activities that can be used to detect fraudulent activities.
  • Encourage employees to recognise and report suspicious behaviour, including outside facilitation.
  • Develop an employee assistance program that includes financial counselling.

 Need Help?

Are you experiencing an insider threat situation right now and not sure how to address it?

Are you interested in standing up an insider threat program?

If so, here is a simple two-step process for you to follow:

  1. Download the following article – “How To Develop An Insider Risk Mitigation Program In 7 Steps” – https://www.nakedinsider.com/InsiderRiskMitigationStrategy
  2. Please schedule a time to discuss your requirement.
    1. You can either call us on +61 2 6282 5554 or alternately or
    2. visit the Naked Insider website nakedinsider.comand leave your details so that we can follow up with you afterwards.
Categories
Article

The Role Of The CFO In Insider Threat Mitigation

The Role Of The CFO In Insider Threat Mitigation

“If the only tool you have is a hammer, then every problem looks like a nail!”
– Abraham Maslow

Insider threat is not always at the forefront of focus in many organisations.

There is always a consistent flow of news about companies getting attacked from the outside.

However, insider incidents do not usually get reported unless privacy law-regulated data is impacted.

The perception that “it won’t happen to us” is a common stance for leaders that don’t yet know they have faced an insider issue.

Insider threats are an intriguing and complex challenge. Some assert that it is the most significant threat facing the organisation today.

Unfortunately, insider threats cannot be mitigated solely through technology solutions.

There is no “silver bullet” for stopping insider threat.

We need to remember that insiders go to work every day and bypass digital and physical security measures.

They have legitimate and authorised access to your most confidential, valuable and sensitive information and other assets.

You have to trust them. It is not practical to watch each of your employees every move.

What threats do insider pose to organisation assets?
Let’s look at the types of insider threats that can negatively affect the organisation.

  • A malicious disgruntled employee intentionally places malware within the organisation to cause significant disruption and harm.
  • A malicious and trusted third-party insider steals intellectual property to sell the information to a foreign state.
  • An executive administrator creates a fictitious company and funnels selective projects and money to their company.
  • An unintentional insider makes an error, disregards policies or falls prey to an external attacker.

Here are two examples

  1. The August 2020 example of Tesla’s insider threat near-miss – A Russian actor attempted to hold automaker Tesla ransom by launching a devastating cyber-attackfrom inside their network. The purpose of the conspiracy was to recruit an employee of a company to sneakily transmit malware provided by the co-conspirators into the company’s computer system, exfiltrate data from the company’s network, and threaten to disclose the data online unless the company paid the co-conspirators’ ransom demand.”
  2. The Chief of Staff at The Australian National Bank pocketed $5.5 million in bribes – Rosemary Rogers, 45, worked at NAB for more than two decades, including nine years as chief of staff to CEOs Andrew Thorburn and Cameron Clyne. Investigators found that Rogers had approved inflated invoices by Human Group (her co-accused) for NAB’s event and function services over four years. She was simply motivated by greed, personal gain and self-gratification.

 

The CFO’s Role

Most CFOs understand that they need to play an active role in cybersecurity and insider threat management.

Still, many lack a complete understanding of the threats they face and the strategy to mitigate those threats effectively.

CFOs are called to adopt a dual role as they take the lead in navigating their organisation’s digital transformation journey.

They are not only at the forefront of driving strategic performance but are concerned with managing financial risk.

The role of the CFO is to oversee and manage some of the most critically sensitive and increasingly sought-after assets held within the organisation.

In short, CFOs are tasked with providing leadership and oversight, but they also create focus and define priorities.

Not only can they keep security a top concern in the C-suite, but their interaction with every department within an organisation puts them in a unique position to help ensure compliance efforts and deploy the necessary controls to defend the business against internal, external attacks.

 

The Cost Of An Insider Incident

The 2020 Cost of Insider Threats Global Report study from Ponemon Institute reveals a worrying trend in the rise of insider threats that could cripple organisations’ infrastructures.

In just two years, the number of insider threats has increased 47%, from 3,200 in 2018 to 4,716 in 2020. At the same time, the cost of these incidents has surged 31%, from $8.76 million in 2018 to $11.45 million in 2020.

To understand the full potential impact on your organisation, I have listed six types of implications that may bear against your organisation.

  1. Operational impact – Describes the result of an attack or a breach that disrupts the way your business operates.
    • At the very least, it will take your cyber and information technology people away from their regular tasks.
    • Costs:
      • Loss of productivity
      • Cost of external resources associated with the recovery process.
  1. Personal impact – Describes how a breach impacts your people. It could be emotional harm. It could be an increase in stress and anxiety. It could be an increase in job uncertainty. It could be an increase in loss of productivity.
    • Costs:
      • Cost of counselling people
      • Cost of replacing people
      • Cost of hiring people
  1. Physical impact – Describes the impact of damage to physical devices, systems, equipment, facilities and even buildings.
    • Costs:
      • Costs of repairing damaged hardware
      • Costs of replacing hardware
      • Cost of borrowing or renting physical apparatus
  1. Legal impact – Describes the impact from not being able to fulfil contractual, legal or regulatory obligations.
    • Costs:
      • Costs of penalties associated with contract breach
      • Costs of the penalties related to regulatory breaches
      • Costs of court cases
  1. Reputational impact – Describes the damage and harm to the perception of your organisation brand. Depending on the type of breach, this may also cause direct personal damage to executives and director reputation.
    • Costs:
      • Cost of loss of revenue
      • Cost of PR and communication campaigns
      • Cost of marketing campaigns to help maintain brand perception.
  1. Financial impact – Describes the impact from the breach resulting in loss to revenue and profit.
    • Costs:
      • Cost of loss money stolen
      • Cost of share price fall

It is rare only to suffer one of these types of impact. You will often find that sustaining any one type of breach will result in additional cumulative implications.

For example:

Your organisation sensitive HR data, including their full name, home address, and even their salary, was identified on the news as being exfiltrated and available for sale on the Dark web.

A privacy breach of such magnitude causes your employees to be nervous, anxious, and fearful of possibly being targeted for identity crime. Morale is down, and with uncertainty, several key staff leave the organisation, causing personal impact and loss of productivity. Some staff who are significantly hurt seek legal compensation, causing legal impact.

In the meantime, forensic experts are hired to investigate the cause of the data exfiltration. New hardware and software are procured to bolster the weak defences causing operational impact.

At the same time, the reputation of your organisation takes a hit. Shareholder’s panic, and in a frenzy, share price plummets, causing a financial impact.

While the reputation of the organisation has been battered, three key clients cancel their existing contracts fearing that their data is not safe anymore, causing further reputation damage and financial challenges.

Regardless of which types of impact a breach has occurred on your organisation, one thing is for sure – It will cost your organisation financially.

Every time your organisation deviates from its strategy and dives into tactical measures to recover from a breach, it costs your organisation time and money.

A Balancing Act

Insider threats represent a significant risk for organisations and potential attack vectors for malicious insiders and external adversaries.

Insiders have a significant advantage over external attackers. Not only they are aware of the organisation policies, procedures and technology, but they are also often aware of the vulnerabilities.

Insider incidents are inevitable, and at some point, your organisation is likely to be compromised.

While this is unfortunate, it is a reality that must be proactively prepared for if your organisation is to withstand such threats.

Remember, there is no silver bullet in preventing insider threats. Having too many security restrictions can impede an organisation mission, and having too few may permit a security breach.

As a CFO, what you can do is understand the stakes of this challenge. Take an active role in its management, and if needed, seek counsel and expertise to augment your understanding.

Five Ways CFO’s Can Help Protect Their Organisation From Insider Threats

  1. Stand up an insider risk program

An organisation can significantly reduce its exposure to the problem by building an effective insider risk program and preventing the most damaging insider attacks.

The program must implement a strategy with the right combination of policies, procedures, and technical security controls.

Management from all areas of the organisation, especially at the executive levels (legal, financial, human resource, physical, information technology, information security), must appreciate the scale of the problem and work together to enhance its ability to deter, detect, prevent, disrupt and respond to insider threats.

  1. Consider threats from insiders and business partners in enterprise-wide risk governance.

Most organisations find it impractical to implement 100% protection from every threat to every organisation asset.

Instead, consider expanding security efforts commensurately with the criticality of the information or other asset being protected.

A realistic and achievable security goal is to protect assets deemed critical to the organisation mission from both external and internal threats.

The boundary of the organisation enterprise needs to be drawn broadly enough to include all those that have a privileged understanding of and access to organisation systems and information.

Many organisations focus on protecting their assets from external parties but overlook insiders. CFO’s must recognise the potential danger posed by the knowledge and access of their insiders, and it needs to be included as part of the enterprise risk governance.

  1. Adopt positive incentives to align the workforce with the organisation

Traditional security practices focus on “negative” incentives that attempt to force compliance through constraints, monitoring and punishment.

Yet, insider’s goodwill is essential to both minimising intentional and unintentional insider threats and ensuring organizational success.

Positive incentives can complement traditional practices by encouraging insiders to act in the interest of the organisation.

Instead of just solely focusing on making sure employees don’t misbehave, positive incentives create a work environment where employees are internally driven to contribute to their organisation only in positive ways.

  1. Structure management to minimise insider stress and mistakes

Management must understand the psychology of their workforce and the demands placed upon them by leadership.

Human behaviour offers many situations for mistakes to be made, especially by those rushing to complete multiple tasks in high-stress environments.

High levels of stress in the workplace will drive ill will and greater potential for malicious activity.

The push for productivity comes at the cost of both efficiency and security. When people are pushed, they will make more mistakes, feel as if their concerns are not being considered and potentially develop a negative attitude towards management and the organisation.

To reduce the likelihood of malicious and unintentional insider threats, organisation leaders should focus less on top-line productivity and more on achieving productive outcomes and mission-oriented objectives.

  1. Accurately Judge Trust

We tend to think that human behaviour is pretty simple. Even in the most controlled circumstances, identifying how someone will behave in the future is impossible.

Someone who may appear trustworthy may encounter unforeseen life circumstances that may overwhelmingly increase the level of risk. And more importantly, we cannot expect that every person will respond in the same way.

Whether to trust or not to trust, verification is essential.

We conduct background checks on potential employees before hiring them and deciding if we trust them. However, research has shown that insider threat fraud often does not start until after an employee has worked for the company for at least five years.

You must have processes in place to continually re-evaluate that initial judgement of trust.

 Need Help?

Are you experiencing an insider threat situation right now and not sure how to address it?

Are you interested in standing up an insider threat program?

If so, here is simple two-step process for you to follow:

  1. Download the following article – “How To Develop An Insider Risk Mitigation Program In 7 Steps” – https://www.nakedinsider.com/InsiderRiskMitigationStrategy
  2. Please schedule a time to discuss your requirement.
    1. You can either call us on +61 2 6282 5554 or alternately or
    2. visit the Naked Insider website nakedinsider.com and leave your details so that we can follow up with you afterwards.
Categories
Article

Know And Protect Your High-Value Asset From Insider Threats

Know And Protect Your High-Value Asset From Insider Threats

“In Italy, age is an asset.”

-Isa Miranda

Understanding and managing high-value assets has become an essential component of an organisational risk management program.

Identifying and protecting high-value assets plays a critical role across the organisation in allocating the necessary resources to provide the most significant protection and resiliency to the information, technologies, and facilities that matter most to the organisation.

High-value assets are more than just your most valuable line items on your balance sheet.

For example:

A company’s customer enterprise resource planning (ERP) system may be valued on the balance sheet at just $450,000. Yet if that ERP system were unavailable during the trading day, it would halt the business in its tracks.

Moreover, if the contents were stolen or altered, the company would suffer severe reputational damage.

A complete understanding of high-value assets (both logical and physical) is invaluable in defending against cyber and insider attackers who will often target the critical organisation assets.

The next set of data comes from the Insider Threat Division of CERT that contains over 2,000 insider threats incidents used as a foundation for their empirical research and analysis in this article.

The diagram below shows the CERT Insider Threat Incident research dimensions, and it is divided into three segments.

Asset Owner

The asset owner corresponds to the entity responsible for an asset’s management or the subject of the asset.

The most common insider threat case types: fraud, theft of IP, sabotage and multiple. The most prominent victim is the organisation.

Fraud incidents, which make up most of the study incidents, were associated with the most significant number of targeted assets, owned primarily by organisations and secondarily by consumers.

 Asset Type

As seen in the graph below, information is the most commonly targeted asset type across all types of incidents.

Money is targeted exclusively in fraud incidents. Information is the most commonly targeted asset across all incident types.

  • Company funds, part of the “money” asset type, were exclusively targeted in fraud incidents and accounted for 11.9% of all targeted assets.
  • Proprietary information was the most common target of theft-of-IP incidents, but it was also targeted across all case types. Proprietary information accounted for 3.7% of all targeted assets.
  • Product information, classified as intellectual property, was also a common target in thefts of IP. It was also targeted across case types and accounted for 3.7% of all targeted assets.
  • Computer systems were the primary target of IT sabotage incidents, but they were targeted across all case types. Computer systems accounted for 2.5% of all targeted assets.

Classification

The classifications refer to specific kinds of sensitive data.

  • Government-sensitive data: Any data that is not classified but is otherwise sensitive and managed by a government entity.
  • Intellectual property (IP): Can refer to patents, copyright, trademark, etc.
  • Payment card information (PCI): Any account information or other personally identifiable information (PII) associated with a payment transaction or the storage of such data.
  • Protected health information (PHI):Information subject to the protections of the Health Information Portability and Accountability Act (HIPAA)/
  • Personally identifiable information (PII):Information about a person (or persons) that can be used to identify a specific person when used alone or in combination.
  • Non-public:Generally, data involved in insider threat incidents where other classifications do not apply
  • Family Educational Rights and Privacy Act (FERPA): Refers to the type of data, such as student education records, protected by the FERPA federal law
  • Federal Tax Information (FTI):A regulated class of information, with specific guidance provided by Internal Revenue Service (IRS) Publication 1075.

The graph below shows targeted information assets only, broken down by classification and known incident type. The most commonly identified classification was non-public.

What To do?

How do you go about protecting your high-value assets from insider actions?

The most basic function of an insider threat mitigation program is to protect the assets that provide your organisation with a unique advantage.

A complete understanding of high-value assets is instrumental in defending against internal actors who can easily target such assets.

One of the best ways for your organisation to know its assets and protect them from attack is to conduct an asset identification assessment.

The following questions will help you identify and prioritise the protection of your critical assets.

  1. What critical assets do you have?
  2. Do you know the current state of each critical asset?
  3. Do you understand the importance and value of each critical asset?
  4. Can you prioritise the list of critical assets?

Answering these questions will help your organisation to inventory the data and systems that must be protected.

Once critical assets are identified and prioritised, you must identify those high-risk users who most often interact with critical assets.

In conducting a behavioural risk assessment, it is essential to understand the “intent” and “capability” that an insider can harm the organisation confidentiality, integrity and availability of the asset.

For example:

  • Insiders can violate confidential information by stealing your trade secrets as well as customer information.
  • Insiders can affect the integrity of your critical asset by manipulating financial information or defacing your employee’s websites.
  • Insiders can affect the availability of your organisation assets by deleting data, sabotaging entire systems and networks, destroying backups, installing malware and committing other types of denial-of- service attacks

To effectively mitigate the risks posed by trusted insiders against your high-value assets, you must understand your organisation’s susceptibility to internal dangers.

For example:

  • Identify behaviours that are deemed unacceptable based on your security policy and standards.
  • Identify risks and consequences of such behaviours. Such as, how long would a behaviour deem as a risk?
  • Identify malicious behaviours. What level of behaviours would you deem as malicious?

Once you have completed the above two processes, you can put forward a risk mitigation program based on your risk appetite or risk tolerance.

Your strategy is to bridge your current position to the state that you would like your organisation to be in.

So, now when you put your thinking hat and decide what countermeasures are required to be put into play in mitigating insider risks, consider the following questions:

What systems, processes, and practices will you need to put into place to…

  • Predict risks that may take place?
  • Deter behaviour risks from taking place?
  • Prevent risks from taking place?
  • Detect risks from taking place?
  • Respond to risks?
  • Recover from risks?

Importantly, are you aligning the insider risk resilience strategy with your business strategy? Unfortunately, most organisations create insider and cyber strategies that are aligned with their information technology strategy.

Remember, insider threats is a business problem, not a technology problem. The strategy needs to address people risk.

How Can We Help Your Organisation?

If you want to develop an insider risk mitigation program, download “Developing An Insider Risk Mitigation Program For Your Business” – https://www.nakedinsider.com/InsiderRiskMitigationStrategy

You can also reach us in the following ways: