“In Italy, age is an asset.”
-Isa Miranda
Understanding and managing high-value assets has become an essential component of an organisational risk management program.
Identifying and protecting high-value assets plays a critical role across the organisation in allocating the necessary resources to provide the most significant protection and resiliency to the information, technologies, and facilities that matter most to the organisation.
High-value assets are more than just your most valuable line items on your balance sheet.
For example:
A company’s customer enterprise resource planning (ERP) system may be valued on the balance sheet at just $450,000. Yet if that ERP system were unavailable during the trading day, it would halt the business in its tracks.
Moreover, if the contents were stolen or altered, the company would suffer severe reputational damage.
A complete understanding of high-value assets (both logical and physical) is invaluable in defending against cyber and insider attackers who will often target the critical organisation assets.
The next set of data comes from the Insider Threat Division of CERT that contains over 2,000 insider threats incidents used as a foundation for their empirical research and analysis in this article.
The diagram below shows the CERT Insider Threat Incident research dimensions, and it is divided into three segments.
Asset Owner
The asset owner corresponds to the entity responsible for an asset’s management or the subject of the asset.
The most common insider threat case types: fraud, theft of IP, sabotage and multiple. The most prominent victim is the organisation.
Fraud incidents, which make up most of the study incidents, were associated with the most significant number of targeted assets, owned primarily by organisations and secondarily by consumers.
Asset Type
As seen in the graph below, information is the most commonly targeted asset type across all types of incidents.
Money is targeted exclusively in fraud incidents. Information is the most commonly targeted asset across all incident types.
Classification
The classifications refer to specific kinds of sensitive data.
The graph below shows targeted information assets only, broken down by classification and known incident type. The most commonly identified classification was non-public.
What To do?
How do you go about protecting your high-value assets from insider actions?
The most basic function of an insider threat mitigation program is to protect the assets that provide your organisation with a unique advantage.
A complete understanding of high-value assets is instrumental in defending against internal actors who can easily target such assets.
One of the best ways for your organisation to know its assets and protect them from attack is to conduct an asset identification assessment.
The following questions will help you identify and prioritise the protection of your critical assets.
Answering these questions will help your organisation to inventory the data and systems that must be protected.
Once critical assets are identified and prioritised, you must identify those high-risk users who most often interact with critical assets.
In conducting a behavioural risk assessment, it is essential to understand the “intent” and “capability” that an insider can harm the organisation confidentiality, integrity and availability of the asset.
For example:
To effectively mitigate the risks posed by trusted insiders against your high-value assets, you must understand your organisation’s susceptibility to internal dangers.
For example:
Once you have completed the above two processes, you can put forward a risk mitigation program based on your risk appetite or risk tolerance.
Your strategy is to bridge your current position to the state that you would like your organisation to be in.
So, now when you put your thinking hat and decide what countermeasures are required to be put into play in mitigating insider risks, consider the following questions:
What systems, processes, and practices will you need to put into place to…
Importantly, are you aligning the insider risk resilience strategy with your business strategy? Unfortunately, most organisations create insider and cyber strategies that are aligned with their information technology strategy.
Remember, insider threats is a business problem, not a technology problem. The strategy needs to address people risk.
How Can We Help Your Organisation?
If you want to develop an insider risk mitigation program, download “Developing An Insider Risk Mitigation Program For Your Business” – https://www.nakedinsider.com/InsiderRiskMitigationStrategy
You can also reach us in the following ways:
© 2023 Naked Insider, Level 1 Colbee Court, Phillip ACT, Australia Tel: +61 6282 5554