The increasing focus on insider risk frequently overlooks the changing nature of our data, environments, and threat landscape Credit: Thinkstock Are you worried about insider risk?Most concerned organizations are acting based on an outdated definition of insider threat. That leads to solutions that no longer address the real nature and risk of the insider threat. A lot has changed in the last few decades. It’s time to step back to consider what changed. Explore the real nature of the risk. And with it, the opportunities for better solutions. The nature of the information we capture expanded. Our systems, environments, and methods of work changed, too. These changes made insiders more valuable. Consider how the threat shifts with the changes. The first insiders had limited data and accessThe data that organizations gather, process, and store is valuable. Realizing the value of information means granting people access to the information. An insider is an employee, contractor, or anyone “authorized” to access the information. Do you remember using a mainframe? Limited data storage. Accounts for only those who needed them. In most cases, strict controls. When we look back, the mainframe days sometimes feel drastic in nature. For most, it was an upgrade from the manual processes they relied on. Limited access and strict controls created the sense that insider threat was minimal. Handling distribution requires privileged accountsThe progression to client-server solutions introduced a different model. Now we needed to protect the data, the servers, the network, and the clients used for access. The need for more people with more access to more data created new opportunities. We created “front ends” to interface with the systems housing the data. We started to provide limited access to some information over the Internet. The increase in complexity required dedicated administration. Accounts with higher levels of access to maintain solutions. They also created accounts for others and handled controls. This level of access created the need to “watch the watchers.”Most organizations continue to struggle with this today. We maintained an illusion of control. The bulk of the data remained on servers we owned. It traveled on networks we controlled. People accessed and processed the data with devices we approved. Apps with access to everything for everyoneModern applications are the window to our data. And why not?Applications have the power to transform business. Creates a push for more flexibility, more power, and ease of use. Sometimes the rush for progress makes it easier to bypass traditional controls. Or gain access to data in unintended ways. And now more people — insiders — have access to more data. They have more pathways than ever before. Not just more devices, but more ways to access the information, too. We’re a long way from mainframes with hardwired terminals. Have you stopped to consider the access authorized users have through your applications?Attackers have. And they realized that they had two options. They could work through layers of traditional protection. Or they could get what they want by compromising an authorized account. For many attackers, insiders — without malicious intent — are the path of least resistance. Is that what you consider to be the insider threat?Why the definition of insider risk needs to evolve with the actual threatMost definitions (CERT, FBI, wikipedia) of insider threat focus on the malicious element. An emphasis on the intention of someone to exceed their authorized access. This definition made sense when we controlled the system, data, and means of access. We painted a clear picture of the risk of insiders. In most cases, the risk of malicious use was small in comparison to the need for access to do their jobs. Our current environments challenge the focus on intention and malice. The attacker is malicious. They hijack the authorized account of an individual with good intentions.The common definition of insider risk places an emphasis on the individual. That changed. And it means one of two things: We didn’t realize that the risk shiftedWe recognized the change, but struggle to articulate and communicate the riskOur environments changed. Attackers adapted their tactics. That means both the definition of insider threat and the risk changed, too. How many organizations accept the risk based on an outdated perception? Focus on solutions and actions that overlook the real threat. The risk associated with insiders changed. It’s time to update our understanding and actions. Then we can find solutions that protect people and improve security. Related content opinion Want to be a better security leader? Embrace your red team CyberArk CEO Udi Mokady lines up for a Security Slap Shot on the need for security leaders to be productively paranoid. By Michael Santarcangelo Sep 29, 2017 4 mins Risk Management Vulnerabilities IT Leadership opinion To combat phishing, you must change your approach Kevin O’Brien, CEO of GreatHorn, discusses why employee training isn't effective in combatting phishing and what companies should do instead. By Michael Santarcangelo Sep 27, 2017 7 mins Phishing IT Leadership opinion Are you ready for ‘Moneyball’ security? Mike McKee, CEO of ObserveIT, lines up for a Security Slap Shot on the benefits of an evidence-based approach to security. By Michael Santarcangelo Sep 20, 2017 4 mins IT Leadership opinion Your security scars are the key to innovation Ben Johnson, CTO and co-founder of Obsidian Security, lines up for a Security Slap Shot on driving innovation in security and business based on experience. By Michael Santarcangelo Sep 14, 2017 4 mins IT Strategy Careers IT Leadership Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe