Protecting your business from insider threats in seven effective steps Why your organisation is currently defenceless

By Boaz Fischer on May, 29 2017

The Zero TRUST Idea

It is common for organisations to put in place controls to prevent intentional misconduct by employees. Examples of this include “rogue” trader, front running, miss-selling etc. An analysis of historical breaches shows that there are 3 types of human elements to them:

  1. Intentional breach;
  2. Unintentional breach due to not following process; and
  3. Unintentional breach due to not being aware of the process.

These 3 human elements also apply to data and information security breaches.
Organisations as part of their overall information security program have been expanding their resources enhancing their cyber defences such as firewalls, intrusion detection, system user access management etc., which is critical but are yet to deal with insider threat.

The “Zero Trust” idea is centred on the concept users inside a network are no more
trustworthy than users outside the network and as a result of their behaviour an
organisation may suffer security breaches.

The idea is based on the perimeter firewall keeping unauthorised people out of the
organisation. The internal network is considered to be “trusted” and those who have
authorised access to the trusted network are also deem “trusted”.

The Zero Trust suggests an employee is therefore considered to be on the same
level with others outside the organisation.

On the surface, it’s almost rude. But, given that we work in a “borderless world”, then
the above has some merit and perhaps requires consideration.

External attacks tend be easier to detect and defend against. The tools used to
protect against outsiders are seldom scalable and effective to apply to every insider
who must be given access to information and assets so that they can do their job.
Insiders have all the advantages over external attackers

Not only do they have tablets, smartphones, laptops and other media which connect
to outside world, they also know where the high value information is stored, the
organisation internal security systems and importantly, they have authorised access
to systems. Having been bestowed organisational trust, the insider has the capability
and the capacity to severely place the organisation at risk 24X7.

By and large, “insiders are a gateway of risk" as clearly depicted by the following
diagram:

So clearly, an insider has the capability of moving in-and-out of their organisation,
taking in-or-out sensitive assets and sharing them with others should they chose to.

Unfortunately, today, organisations are still spending vast amounts of money
protecting their perimeter while placing very little, if any, attention to the threat within.

It’s no wonder that the greatest risk to an organisation is their people and their
consequential behaviour. We still see employees courteously hold open doors,
allowing strangers into their workspaces!

When we also look at some of the well known incidents such as : NSA, Target, Wells
Fargo, Morgan Stanley, OPM, Barclays Bank, AT&T, JPMorgan, Societe General
and many, many others, they all relate to human weakness.

Whilst some of these incidents are malicious, majority of them are accidental and
non-malicious. Information security controls depend on human judgement. For
example - emails sent to the wrong recipient; someone posting sensitive data on a
public website; An unsuspecting user clicking on a link or opening an attachment that
is malicious; Users losing their smart devices in public areas; Users picking up an
infected USB and plugging it directly into their work machine.

In Verizon’s 2015 Data Breach Investigation Report, it claimed that 90% of all
incidents are people based. Whether it’s goofing up, getting infected, behaving badly
or losing stuff is where most incidents fall.

Today, we must accept the new reality - the insider threat is real.

We can keep on conjuring the Edward Snowden NSA story, but many executives and
board members are mostly sightless to these threats believing it will never happen to
them. The trends of emerging threats are arrival of Generation Y, who are used to
seamlessly moving information across devices and the cloud, an avalanche of new
consumer devices, and exponential connectivity of networks.

So the question is who is at fault AND who is responsible to understand and mitigate
these threats?

We could point at the people since they are clearly identified as the source of risk to
the business. However, employees often want to place the blame for security
shortcomings squarely on the board and executives, who in turn are looking to
offload their responsibilities into the hands of their information security teams in the
‘hope’ they can mitigate such internal threats.

When the security team responds to management; “all is well, because they haven’t
seen any incidents”, this provides no yardstick that everything is satisfactory.
Because, there will always be a threat stemming from a human being whether
maliciously or not. And, just because the security team have not ‘seen’ anything,
doesn’t mean there are NOT any breaches…

Which brings us to the point about the “Zero Trust” which assumes every user might
be compromised and that no user is trusted implicitly.

We can look at this from another angle - Any user might be a hacker in disguise.
Hence, the only way to halt such breaches, is perhaps for the industry to rethink the
TRUST model.

Let's look at "TRUST".

Trust is about “confidence”. The opposite is distrust. When you trust people, you
have confidence in their integrity and capabilities. When you have distrust, you are
suspicious.

In today’s global economy, TRUST is king. Trust is the social underpinning of social
behaviour and social reality.

Society needs trust, providing us with the certainty and confidence of the day-to-day
interaction. Without trust our lives would lead to paralysis of inaction and possible
chaos.

Low trust causes friction, whether it is caused by unethical behaviour or by ethical
incompetent behaviour. Low trust is the greatest cost in life and in the organisation.
Low trust creates hidden agendas, politics, conflicts, disagreements and defensive /
offensive behaviour. Low trust slows everything, every decision, every
communication and every relationship.

On the other hand, high trust produces stronger relationships, develops loyalty,
enhances reputation and yields better results.

In business, trust is like the human blood system which feeds the necessary body
with the oxygen it needs. In business these are often called collaboration, cooperation,
empowerment, alliance, partnerships, exchange and commerce. These
blood vessels sustain the day-to-day the quality of life relationships.

As such TRUST, impacts us 24 x 7 x 365.
If a “Zero Trust” is going to be adopted, then it must be able to answer a number of
key questions.

  • Do you trust your colleagues?
  • Do you trust your boss?
  • Do you trust your organisation?

Over the years, “trust” has become increasingly difficult, starting with events such as
the Enron, WorldCom scandals and exacerbated by the Global Financial Crises. Not
surprisingly, employee trust towards management is on the decline across the globe

Trust MUST be earned and this takes time.

Its based on two distinct principles: Character and Competence.

  • Character is based on integrity, motives and intent
  • Competence is based on capabilities, skills and results

For example, Richard Branson the CEO of the huge Virgin empire is very well liked
and trusted. His integrity, his intent, his commitment and his results speak of
themselves. In 2000, he was knighted as Sir Richard Branson. In 2002, he was
named in BBC poll of the 100 greatest Britons. In 2009, Branson was voted the UK's
"Celebrity Dream Boss". In 2014, Branson received the 2014 Business for Peace
Award.

On the other hand, a typical politician is rarely trusted. They talk their talk, but seldom
do they walk their talk. They lack congruity, honesty and very rarely do they deliver
on their promises.

The Trump vs Clinton US elections came down to a single question. Whom do you
trust? Trump had serious character flaws, but is recognised as a successful and
competent business person. While Hillary Clinton had flaws both in her character as
well as her results.

Now, whether or not you trust management, your colleagues and the organisation
has a lot to do with how much they support you or rather the perception of it. When
employees have a positive perceptions of organisation support, they believe their
organisations will provide the assistance when needed for them to perform their job
effectively and to deal with stressful situations.

It stands to reason then, employees who have strong perception of organisation
support, feel an obligation to care about the organisation welfare and to help it
achieve its objectives. Importantly, employees who have greater organisation
perception support have higher job performance and are more satisfied with their
jobs, more committed and more loyal to the organisation and less likely to be absent
from work or even quit.

Now, what could undermine this perception of organisation support? Lack of trust.
Areas that could weaken trust are:

  • Ethics. Ethics is the foundation to trust, but by itself is insufficient. You can’t have trust without ethics, but you can have ethics without trust.
  • Stress. Stress has become a serious concern for individuals and organisations. Today, the level of stress in the workplace is at an all-time high and these implications are alarming.
  • Disposition. The personality characteristics can contribute significantly either positively or negatively to the organisation welfare and its goals. The following diagram depicts a potential employee with a negative disposition that may cause in insider incident.

What can an organisation do to develop a strong level of internal
trust?

The current thinking is to setup significant controls and policies in the manner
employees are “governed”.

Corporate controls and policies have are critical foundational requirements of good
Governance with the intent to express clear direction on the things which are
fundamental, basic, important and therefore most enduring in running business.

But here is the problem; the more controls you place, the more organisational trust
declines.

For example, organisation must adopt a ‘need to know’ access strategy, meaning
users can only access the data they need to do their job.

That’s all very well, but what perception does it portray? That it lacks trust in its
people and what they can do? Any employee with determination and motivation will
always find another way to access data, even though that they are no authorised to
do so.

According to The CERT Guide to Insider Threats; 75% of insiders who committed
data theft had authorised access to the information
.

Some of the best ways to address the human risk factor in an organisation is by
engendering real time investment in programs for people’s education, training and
support. An organisation with a strong sense perceived trust signals to the employee
the organisation values and cares for them.

The criticality of these programs is important. They assess and analyse the real
human performance within the organisation. By creating a plan for sustained
improvements and introducing a series of real time education interventions and
training, which targets behavioural changes will encourage a ‘risk aware’ culture. This
is critical as our people make decisions every day that balance security against the
imperative of making the business work

Real time education intervention occurs when an employee is notified of a negative
incident which could be a corporate policy violation. The purpose is to raise
awareness then and there, to determine why the violation took place and how the
person can remodify their activity/behaviour for the future.

For example, parents that have children will inform the child immediately, if the child’s
behaviour is seen as “detrimental” to themselves and or others. The effectiveness of
the parenting regarding that behaviour loses its value as time goes by. No point
telling the child off if the incident took place some three weeks back. The child would
have completely forgotten.

Security awareness training is only effective in the “now”. It losses its effectiveness if
it is not being reinforced on an on going basis.

Therefore, organisation which take human problems seriously, know they must
examine the current state of employee knowledge, skills, deliverables (capabilities)
as well as attitude and commitment (character) to security and privacy in the context
of organisation culture and its goals.

The Universal Law of Cause-Effect states for every effect, there is a definite cause,
likewise for every cause, there is a definite effect also know as “Karma” – spiritual
principle of cause and effect.

There are no accidents. A security breach is the effect that an insider created as a
direct result of a cause whether it be malicious or not.

Organisation seeking to improve their business resiliency will need to engender
employees to change their actions with a supporting and caring structure. Only then
they will change their behaviour in a positive way. And only then will the
organisation’s resiliency advance and improve.

Ronald Reagan once quoted: “Trust, but verify”. This was a good approach when
dealing with Russia, but we haven’t really done a good job in the information world.
The “Zero Trust Model” idea was therefore suggested as an alternative model as a
way to re-architecture the data and placing security at its centre (Forester).

In reality, security is improving, but technology is definitely not enough. People are
the greatest opportunities to achievement and success… They are also the biggest
threat that faces each organisation. It is best summed up by the quote at the top of
this article. “We have to start addressing the human element of information security,
not just the technical”.

How can CommsNet Group help?

CommsNet Group is the only specialised Insider Threat focused organisation in
Australasia. CommsNet Group helps organisation to identify and mitigate the threat
from within.

CommsNet Group uses tested and proven methodologies from Carnegie Mellon
University (which is part of CERT – Software Engineering Institute).

For nearly 30 years, CERT division of the Software Engineering Institute has been a
trusted an authoritative research organisation in Insider Threats. No other
organisation has the corpus of insider threat incidents that the CERT Insider Threat
Centre has, nor has any other organisation done the amount of analytics on that type
of corpus, that the CERT Insider Threat Centre has.

If you want to tap into the rich knowledge and understanding of how to effectively
mitigate the Insider Threat, you can tap into CommsNet Group expertise in either of
the following ways:

  1. Attend an Insider Threat Workshop - This Workshop is an interactive
    presentation with practical exercises to assist you in gaining a better
    understanding of what constitutes insider risk and how to deal with it.
  2. Conduct an Insider Threat Vulnerability Assessment - Based upon
    CERT Carnegie Mellon University methodology helps you determine how well prepared you are to prevent, detect, and respond to insider threats, should they appear in your organisation
  3. Schedule a meeting to discuss how to build an effective Insider
    Threat Program
  4. Download a free Ebook – “Protecting Your Business From Insider
    Threats In Sever Effective Steps”, visit CommsNet Group website