Know And Protect Your High-Value Asset From Insider Threats

“In Italy, age is an asset.”

-Isa Miranda

Understanding and managing high-value assets has become an essential component of an organisational risk management program.

Identifying and protecting high-value assets plays a critical role across the organisation in allocating the necessary resources to provide the most significant protection and resiliency to the information, technologies, and facilities that matter most to the organisation.

High-value assets are more than just your most valuable line items on your balance sheet.

For example:

A company’s customer enterprise resource planning (ERP) system may be valued on the balance sheet at just $450,000. Yet if that ERP system were unavailable during the trading day, it would halt the business in its tracks.

Moreover, if the contents were stolen or altered, the company would suffer severe reputational damage.

A complete understanding of high-value assets (both logical and physical) is invaluable in defending against cyber and insider attackers who will often target the critical organisation assets.

The next set of data comes from the Insider Threat Division of CERT that contains over 2,000 insider threats incidents used as a foundation for their empirical research and analysis in this article.

The diagram below shows the CERT Insider Threat Incident research dimensions, and it is divided into three segments.

Asset Owner

The asset owner corresponds to the entity responsible for an asset’s management or the subject of the asset.

The most common insider threat case types: fraud, theft of IP, sabotage and multiple. The most prominent victim is the organisation.

Fraud incidents, which make up most of the study incidents, were associated with the most significant number of targeted assets, owned primarily by organisations and secondarily by consumers.

 Asset Type

As seen in the graph below, information is the most commonly targeted asset type across all types of incidents.

Money is targeted exclusively in fraud incidents. Information is the most commonly targeted asset across all incident types.

  • Company funds, part of the “money” asset type, were exclusively targeted in fraud incidents and accounted for 11.9% of all targeted assets.
  • Proprietary information was the most common target of theft-of-IP incidents, but it was also targeted across all case types. Proprietary information accounted for 3.7% of all targeted assets.
  • Product information, classified as intellectual property, was also a common target in thefts of IP. It was also targeted across case types and accounted for 3.7% of all targeted assets.
  • Computer systems were the primary target of IT sabotage incidents, but they were targeted across all case types. Computer systems accounted for 2.5% of all targeted assets.

Classification

The classifications refer to specific kinds of sensitive data.

  • Government-sensitive data: Any data that is not classified but is otherwise sensitive and managed by a government entity.
  • Intellectual property (IP): Can refer to patents, copyright, trademark, etc.
  • Payment card information (PCI): Any account information or other personally identifiable information (PII) associated with a payment transaction or the storage of such data.
  • Protected health information (PHI):Information subject to the protections of the Health Information Portability and Accountability Act (HIPAA)/
  • Personally identifiable information (PII):Information about a person (or persons) that can be used to identify a specific person when used alone or in combination.
  • Non-public:Generally, data involved in insider threat incidents where other classifications do not apply
  • Family Educational Rights and Privacy Act (FERPA): Refers to the type of data, such as student education records, protected by the FERPA federal law
  • Federal Tax Information (FTI):A regulated class of information, with specific guidance provided by Internal Revenue Service (IRS) Publication 1075.

The graph below shows targeted information assets only, broken down by classification and known incident type. The most commonly identified classification was non-public.

What To do?

How do you go about protecting your high-value assets from insider actions?

The most basic function of an insider threat mitigation program is to protect the assets that provide your organisation with a unique advantage.

A complete understanding of high-value assets is instrumental in defending against internal actors who can easily target such assets.

One of the best ways for your organisation to know its assets and protect them from attack is to conduct an asset identification assessment.

The following questions will help you identify and prioritise the protection of your critical assets.

  1. What critical assets do you have?
  2. Do you know the current state of each critical asset?
  3. Do you understand the importance and value of each critical asset?
  4. Can you prioritise the list of critical assets?

Answering these questions will help your organisation to inventory the data and systems that must be protected.

Once critical assets are identified and prioritised, you must identify those high-risk users who most often interact with critical assets.

In conducting a behavioural risk assessment, it is essential to understand the “intent” and “capability” that an insider can harm the organisation confidentiality, integrity and availability of the asset.

For example:

  • Insiders can violate confidential information by stealing your trade secrets as well as customer information.
  • Insiders can affect the integrity of your critical asset by manipulating financial information or defacing your employee’s websites.
  • Insiders can affect the availability of your organisation assets by deleting data, sabotaging entire systems and networks, destroying backups, installing malware and committing other types of denial-of- service attacks

To effectively mitigate the risks posed by trusted insiders against your high-value assets, you must understand your organisation’s susceptibility to internal dangers.

For example:

  • Identify behaviours that are deemed unacceptable based on your security policy and standards.
  • Identify risks and consequences of such behaviours. Such as, how long would a behaviour deem as a risk?
  • Identify malicious behaviours. What level of behaviours would you deem as malicious?

Once you have completed the above two processes, you can put forward a risk mitigation program based on your risk appetite or risk tolerance.

Your strategy is to bridge your current position to the state that you would like your organisation to be in.

So, now when you put your thinking hat and decide what countermeasures are required to be put into play in mitigating insider risks, consider the following questions:

What systems, processes, and practices will you need to put into place to…

  • Predict risks that may take place?
  • Deter behaviour risks from taking place?
  • Prevent risks from taking place?
  • Detect risks from taking place?
  • Respond to risks?
  • Recover from risks?

Importantly, are you aligning the insider risk resilience strategy with your business strategy? Unfortunately, most organisations create insider and cyber strategies that are aligned with their information technology strategy.

Remember, insider threats is a business problem, not a technology problem. The strategy needs to address people risk.

How Can We Help Your Organisation?

If you want to develop an insider risk mitigation program, download “Developing An Insider Risk Mitigation Program For Your Business” – https://www.nakedinsider.com/InsiderRiskMitigationStrategy

You can also reach us in the following ways: