The Role Of The CFO In Insider Threat Mitigation

Insider threat is not always at the forefront of focus in many organisations.

There is always a consistent flow of news about companies getting attacked from the outside.

However, insider incidents do not usually get reported unless privacy law-regulated data is impacted.

The perception that “it won’t happen to us” is a common stance for leaders that don’t yet know they have faced an insider issue.

Insider threats are an intriguing and complex challenge. Some assert that it is the most significant threat facing the organisation today.

Unfortunately, insider threats cannot be mitigated solely through technology solutions.

There is no “silver bullet” for stopping insider threat.

We need to remember that insiders go to work every day and bypass digital and physical security measures.

They have legitimate and authorised access to your most confidential, valuable and sensitive information and other assets.

You have to trust them. It is not practical to watch each of your employees every move.

What threats do insider pose to organisation assets?
Let’s look at the types of insider threats that can negatively affect the organisation.

• A malicious disgruntled employee intentionally places malware within the organisation to cause significant disruption and harm.
• A malicious and trusted third-party insider steals intellectual property to sell the information to a foreign state.
• An executive administrator creates a fictitious company and funnels selective projects and money to their company.
• An unintentional insider makes an error, disregards policies or falls prey to an external attacker.

Here are two examples

1. The August 2020 example of Tesla’s insider threat near-miss – A Russian actor attempted to hold automaker Tesla ransom by launching a devastating cyber-attackfrom inside their network. The purpose of the conspiracy was to recruit an employee of a company to sneakily transmit malware provided by the co-conspirators into the company’s computer system, exfiltrate data from the company’s network, and threaten to disclose the data online unless the company paid the co-conspirators’ ransom demand.”
2. The Chief of Staff at The Australian National Bank pocketed $5.5 million in bribes – Rosemary Rogers, 45, worked at NAB for more than two decades, including nine years as chief of staff to CEOs Andrew Thorburn and Cameron Clyne. Investigators found that Rogers had approved inflated invoices by Human Group (her co-accused) for NAB’s event and function services over four years. She was simply motivated by greed, personal gain and self-gratification.

The CFO’s Role

Most CFOs understand that they need to play an active role in cybersecurity and insider threat management.

Still, many lack a complete understanding of the threats they face and the strategy to mitigate those threats effectively.

CFOs are called to adopt a dual role as they take the lead in navigating their organisation’s digital transformation journey.

They are not only at the forefront of driving strategic performance but are concerned with managing financial risk.

The role of the CFO is to oversee and manage some of the most critically sensitive and increasingly sought-after assets held within the organisation.

In short, CFOs are tasked with providing leadership and oversight, but they also create focus and define priorities.

Not only can they keep security a top concern in the C-suite, but their interaction with every department within an organisation puts them in a unique position to help ensure compliance efforts and deploy the necessary controls to defend the business against internal, external attacks.

The Cost Of An Insider Incident

The 2020 Cost of Insider Threats Global Report study from Ponemon Institute reveals a worrying trend in the rise of insider threats that could cripple organisations’ infrastructures.

In just two years, the number of insider threats has increased 47%, from 3,200 in 2018 to 4,716 in 2020. At the same time, the cost of these incidents has surged 31%, from $8.76 million in 2018 to $11.45 million in 2020.

To understand the full potential impact on your organisation, I have listed six types of implications that may bear against your organisation.

1. Operational impact – Describes the result of an attack or a breach that disrupts the way your business operates.
   • At the very least, it will take your cyber and information technology people away from their regular tasks.
   • Costs:
     • Loss of productivity
     • Cost of external resources associated with the recovery process.

2. Personal impact – Describes how a breach impacts your people. It could be emotional harm. It could be an increase in stress and anxiety. It could be an increase in job uncertainty. It could be an increase in loss of productivity.
   • Costs:
     • Cost of counselling people
     • Cost of replacing people
     • Cost of hiring people

3. Physical impact – Describes the impact of damage to physical devices, systems, equipment, facilities and even buildings.
   • Costs:
     • Costs of repairing damaged hardware
     • Costs of replacing hardware
     • Cost of borrowing or renting physical apparatus

4. Legal impact – Describes the impact from not being able to fulfil contractual, legal or regulatory obligations.
   • Costs:
     • Costs of penalties associated with contract breach
     • Costs of the penalties related to regulatory breaches
     • Costs of court cases

5. Reputational impact – Describes the damage and harm to the perception of your organisation brand. Depending on the type of breach, this may also cause direct personal damage to executives and director reputation.
   • Costs:
     • Cost of loss of revenue
     • Cost of PR and communication campaigns
     • Cost of marketing campaigns to help maintain brand perception.

6. Financial impact – Describes the impact from the breach resulting in loss to revenue and profit.
   • Costs:
     • Cost of loss money stolen
     • Cost of share price fall

It is rare only to suffer one of these types of impact. You will often find that sustaining any one type of breach will result in additional cumulative implications.

For example:

Your organisation sensitive HR data, including their full name, home address, and even their salary, was identified on the news as being exfiltrated and available for sale on the Dark web.

A privacy breach of such magnitude causes your employees to be nervous, anxious, and fearful of possibly being targeted for identity crime. Morale is down, and with uncertainty, several key staff leave the organisation, causing personal impact and loss of productivity. Some staff who are significantly hurt seek legal compensation, causing legal impact.

In the meantime, forensic experts are hired to investigate the cause of the data exfiltration. New hardware and software are procured to bolster the weak defences causing operational impact.

At the same time, the reputation of your organisation takes a hit. Shareholder’s panic, and in a frenzy, share price plummets, causing a financial impact.

While the reputation of the organisation has been battered, three key clients cancel their existing contracts fearing that their data is not safe anymore, causing further reputation damage and financial challenges.

Regardless of which types of impact a breach has occurred on your organisation, one thing is for sure – It will cost your organisation financially.

Every time your organisation deviates from its strategy and dives into tactical measures to recover from a breach, it costs your organisation time and money.

A Balancing Act

Insider threats represent a significant risk for organisations and potential attack vectors for malicious insiders and external adversaries.

Insiders have a significant advantage over external attackers. Not only they are aware of the organisation policies, procedures and technology, but they are also often aware of the vulnerabilities.

Insider incidents are inevitable, and at some point, your organisation is likely to be compromised.

While this is unfortunate, it is a reality that must be proactively prepared for if your organisation is to withstand such threats.

Remember, there is no silver bullet in preventing insider threats. Having too many security restrictions can impede an organisation mission, and having too few may permit a security breach.

As a CFO, what you can do is understand the stakes of this challenge. Take an active role in its management, and if needed, seek counsel and expertise to augment your understanding.

Five Ways CFO’s Can Help Protect Their Organisation From Insider Threats

1. Stand up an insider risk program

An organisation can significantly reduce its exposure to the problem by building an effective insider risk program and preventing the most damaging insider attacks.

The program must implement a strategy with the right combination of policies, procedures, and technical security controls.

Management from all areas of the organisation, especially at the executive levels (legal, financial, human resource, physical, information technology, information security), must appreciate the scale of the problem and work together to enhance its ability to deter, detect, prevent, disrupt and respond to insider threats.

2. Consider threats from insiders and business partners in enterprise-wide risk governance.

Most organisations find it impractical to implement 100% protection from every threat to every organisation asset.

Instead, consider expanding security efforts commensurately with the criticality of the information or other asset being protected.

A realistic and achievable security goal is to protect assets deemed critical to the organisation mission from both external and internal threats.

The boundary of the organisation enterprise needs to be drawn broadly enough to include all those that have a privileged understanding of and access to organisation systems and information.

Many organisations focus on protecting their assets from external parties but overlook insiders. CFO’s must recognise the potential danger posed by the knowledge and access of their insiders, and it needs to be included as part of the enterprise risk governance.

3. Adopt positive incentives to align the workforce with the organisation

Traditional security practices focus on “negative” incentives that attempt to force compliance through constraints, monitoring and punishment.

Yet, insider’s goodwill is essential to both minimising intentional and unintentional insider threats and ensuring organizational success.

Positive incentives can complement traditional practices by encouraging insiders to act in the interest of the organisation.

Instead of just solely focusing on making sure employees don’t misbehave, positive incentives create a work environment where employees are internally driven to contribute to their organisation only in positive ways.

4. Structure management to minimise insider stress and mistakes

Management must understand the psychology of their workforce and the demands placed upon them by leadership.

Human behaviour offers many situations for mistakes to be made, especially by those rushing to complete multiple tasks in high-stress environments.

High levels of stress in the workplace will drive ill will and greater potential for malicious activity.

The push for productivity comes at the cost of both efficiency and security. When people are pushed, they will make more mistakes, feel as if their concerns are not being considered and potentially develop a negative attitude towards management and the organisation.

To reduce the likelihood of malicious and unintentional insider threats, organisation leaders should focus less on top-line productivity and more on achieving productive outcomes and mission-oriented objectives.

5. Accurately Judge Trust

We tend to think that human behaviour is pretty simple. Even in the most controlled circumstances, identifying how someone will behave in the future is impossible.

Someone who may appear trustworthy may encounter unforeseen life circumstances that may overwhelmingly increase the level of risk. And more importantly, we cannot expect that every person will respond in the same way.

Whether to trust or not to trust, verification is essential.

We conduct background checks on potential employees before hiring them and deciding if we trust them. However, research has shown that insider threat fraud often does not start until after an employee has worked for the company for at least five years.

You must have processes in place to continually re-evaluate that initial judgement of trust.

 Need Help?

Are you experiencing an insider threat situation right now and not sure how to address it?

Are you interested in standing up an insider threat program?

If so, here is simple two-step process for you to follow:

1. Download the following article – “How To Develop An Insider Risk Mitigation Program In 7 Steps” – https://www.nakedinsider.com/InsiderRiskMitigationStrategy
2. Please schedule a time to discuss your requirement.
   1. You can either call us on +61 2 6282 5554 or alternately or
   2. visit the Naked Insider website nakedinsider.com and leave your details so that we can follow up with you afterwards.