Even companies with robust cybersecurity programs can sometimes struggle when it comes to spotting threats operating from within their organizations. According to Todd Thorsen, director of information security, risk management and compliance at Code42, businesses looking to mature their insider threat programs need to focus on five core areas: assessing risk, garnering executive and stakeholder buy-in, implementing the right tech and tools, establishing processes and proper documentation, and fostering communication and transparency.
Speaking at the CyberRisk Alliance’s InfoSec World event this week, Thorsen detailed to attendees how to execute these five key steps, noting that in today’s complex, remote and hybrid IT environments, “it's more important than ever to understand and manage insider risk within your organization, and where data is leaving.”
The first step is to identify the unique risks that are specifically inherent to your own organization, perhaps through a risk assessment program. Part of this process will be understanding what data residing within your ecosystem is most critical based on your company’s risk tolerance. “Think about things like unstructured data, intellectual property, regulated data certainly, and customer data,” he said.
Also, consider where this data resides, whether it be applications, database or cloud repositories, and determine who has access to it, Thorsen recommended. Among those with access, attempt to identify individuals with higher risk profiles due to their circumstances and responsibilities. These might include, “departing employees, individuals on performance improvement plans, individuals with elevated access privileges, [and] employees who… demonstrate poor security practices,” he explained.
Click here to register for InfoSec World to access all of the content on demand.
Before you can take serious action to mitigate these risks, an insider threat program should earn the trust and buy-in of key executives and stakeholders, Thorsen continued in his presentation. A formal risk assessment that highlights gaps in security will be useful for explaining why certain actions must be taken, and what goals the security team is trying to accomplish while maturing the insider threat program.
Thorsen also advised that CISOs share any external reports or research papers that convey the latest insider threat incidents and trends. “This is something that helps make it real and can help build support for managing… risk internally,” he stated.
When discussing potential initiatives with executive leadership, security leaders should also explain how any insider threat program will align with the current corporate culture that exists and isn’t so restrictive as to impede employees from getting their day-to-day work accomplished. “This is really important. If you're going to be successful in anything in the security space – and certainly insider risk – you need to have cultural alignment,” said Thorsen.
To ensure a worker-friendly culture, security teams should be careful not to immediately assume malicious wrongdoing when an employee is responsible for data loss or leakage. They simply may need better training.
“I'm a big believer in presuming positive intent,” said Thorsen. “Because at the end of the day… these are all of our co-workers and partners across the organization. And you have to factor in the element that the vast majority of insider risk is not malicious.”
With the go-ahead to proceed, security leaders can start to look for tools that they can integrate into their tech stack to help them attain asset visibility, and then detect and respond to insider threat activity. “APIs, integrations, workflows – things like that are really important to help build a broader perspective of what internal risk looks like within your organization,” said Thorsen.
“You want to look for tools that offer the capability to detect, investigate and respond across individuals, exfiltration vectors and technology,” he continued. “As you're evaluating tools and vendors, really conduct [proof of concepts] and have clear RFIs and RFPs, that you're delivering to ensure that whatever you're bringing in your organization is going to be a great fit.” This process might include head-to-head comparisons of tools and examination of use cases.
According to the presentation, possible functions to invest in include remote workplace monitoring, mirror IT detection, employee and contractor monitoring, forensic file searches, data classification and loss prevention, and security awareness.
But even if you have the tools, you need to know how best to use them? That’s where developing processes and documentation comes into play.
“It's important to outline what the criteria for monitoring looks like within your organization, including the actions that warrant inclusion or exclusion from insider risk monitoring,” said Thorsen. For instance, companies will want to consider what kinds of suspicious or careless actions might justify flagging an employee for heightened monitoring, and also how to escalate an issue (and which departments should be involved) when there is a legitimate problem.
The insider threat investigation process should “ensure repeatability and consistent handling and eliminate bias,” Thorsen continued, and so “having a process that's formalized and documented helps alleviate some of that concern.”
Thorsen also advised that companies consider incorporating insider risk management scenarios into their tabletop exercises and simulations to help improve and solidify their incident response process for when such scenarios emerge in real life.
Finally, transparency is needed to ensure that initial buy-in doesn’t fade out and become replaced with a sense of distrust. Thorsen said this might require establishing and communicating an acceptable use policy, as well as incorporating insider threat incident response scenarios into security awareness training programs.
“And then be transparent with your employees about monitoring and why it's important to the organization,” Thorsen continued. “You don't need to go into details of how monitoring is executed or what tools are used, but just be very clear that that's taking place.”