Can threats from insiders be proactively mitigated with non-technical measures? The short answer is "yes and no." And promise, this isn’t going to turn into a blog on quantum computing to explain how these two answers can exist at the same time. An incident associated with a careless or malicious insider can be mitigated, sometimes, but it is highly dependent on a number of factors and many of these are non-technical.
There are great technology solutions that address insider threats. But even the best technology will be useless if the non-technical basics aren’t part of your insider threat mitigation strategy. Proactively addressing insiders threats, identifying early warning signs and responding to those threats are rarely solved with technology alone.
Once your organization has determined what’s a terminable offense, the workflow for addressing an insider incident and how this information will be disseminated throughout the organization, the real work starts. But before we get into some of the proactive measures, let’s first consider what makes an insider unique when compared with an external attacker.
Inside the Insider
When thinking about an insider it is better to picture Colombo not James Bond: low-tech trumps hi-tech. Because these insiders have trust and access they can operate with great stealth, speed and ease. You don’t need to be the Girl with the Dragon Tattoo to access a file that you have a legitimate right to use and simply upload it to a file store in the cloud, print it, or copy it to a thumb drive.
The kicker is that an insider may do all of these things with nefarious intent or simply carelessness. I’ve studied hundreds of incidents related to insiders, and I even wrote a book on the topic. At the onset of most investigations it’s difficult to understand intent in cases of sabotage and theft. Regardless, anything that can be done unintentionally can also be done intentionally with greater impact.
When a malicious insider is suspected next steps can be unclear. This isn’t some nameless, faceless attacker from the other side of an ocean. This isn’t what the FBI calls SAM or the Socially Awkward Male. See any Hollywood movie about hackers to build out that mental picture. This is Steve, the guy that just came over for a BBQ last weekend and beat you in lawn darts. As such, mounting a response isn’t as cavalier as going after the unknown – it’s personal, and without policies and procedures to guide you, most people prefer to look away.
For the bad guys, why hack when you can recruit or plant? There are no security controls to circumvent. There are no phishing attacks to mount in hopes of getting command and control capability. There is no enumeration of credentials, drive shares and internal networks. Simply find someone that is sympathetic to your cause, or might be looking to make a few bucks, or can be blackmailed…
In most cases malicious insiders are motivated by money, but other motivations include:
- Desire to please
So that’s the “who.” What do we do about it?
Four non-technical measures
One way to avoid malicious insiders is to hire trustworthy employees. That’s pretty simple right? I wish it were that simple. It’s a start but not foolproof and note that some intelligence organizations have conducted detailed vetting, checked all the boxes, and still ended up with employees that went rogue.
- Aldrich Ames – began working for the CIA in 1962 and started spying for the Soviet Union in 1985
- Robert Hansen – began working for the FBI in 1976 and by 1979 was also spying for the Soviets and later the Russian Federation
- Ronald Pelton – began working for the NSA in the early 1960s and retired in 1980; in 1984 he began selling secrets to the KGB
# 1 Conduct background checks
There is more than one type of background check. Depending on your organizational polices and budget, conducting one or more of these makes sense. For some, you want to re-check periodically.
- Employment verification
- Education verification
- Credit checks
- Substance abuse checks
- Civil background checks
- County record checks
- Criminal background checks
- Multi-state fingerprint checks
- National FBI background checks
- Long-term background checks going back more than 10 years
- Polygraph test
# 2 Train managers and conduct employee reviews
Manager training and an understanding of how to perform reviews and how to look for warning signs is often as important as conducting the reviews. Periodic reviews by a well-trained manger can be beneficial to catching details that could be, but are not necessarily, warning signs.
Indicators of an insider are often narcissistic (think Hugh Laurie's character in House) or antisocial behavior (think Heath Ledger's playing the Joker in Batman) as well as some type of personal or professional crisis. Employees feeling under appreciated, disliked, underpaid, disrespected or that their career isn’t progressing are all factors that should be addressed. Other factors may be gambling, drugs, bankruptcy, divorce and the like. Organizationally, if issues are identified, programs should be in place to help these individuals.
# 3 Implement security awareness training
All employees should have some level of security awareness training. This will help to mitigate careless insiders and also make others aware of steps they should take when an insider is suspected.
Do they confront the individual, the individual’s manager, their manger, legal, HR, or is there an anonymous tip line? An understanding of this simple step, what to do next, can save time and money and limit the negative impact that the insider has on the organization.
# 4 Define a response team with a c-level champion
Teams addressing insider threats are often made of individuals from IT security. Their involvement is necessary, but non-technical representatives from groups like legal, HR, facilities, risk and compliance as well as an executive to lead the team are important for success. Insider threats are not just an IT problem.
Rarely can these programs be successful from the bottom up. Because an insider investigation will cross multiple business units it is essential to have an executive to keep the gears turning and not get stuck fighting political battles.
What other non-technical solutions have you found successful in mitigating insider threats within your own organizations?
This article is published as part of the IDG Contributor Network. Want to Join?