What you don’t know can hurt you

A snapshot of today’s cyber threat landscape is all it takes to stress the value and necessity of living, breathing cybersecurity strategies. Cyber attackers are growing bolder and more sophisticated by the day, while incidents of data theft, ransomware and network incursions are becoming common headlines.

Insider threats are also taking focus. These are incursions in which cyber attackers either manipulate or incentivize employees to provide access to the organization’s networks (e.g., phishing scams, bribery or social engineering). That insider threats are trending upward makes employee training, upskilling and oversight the lynchpin to a well-rounded cybersecurity strategy. What’s more, the management of the insider threat challenge spans multiple businesses functions: it’s not solely an IT problem.

But who are insiders and what impact can they have on your organization? Insiders broadly fall into two categories of motivation: (1) the conscious or malicious and (2) the unwitting. Conscious, malicious insiders commonly possess a wide variety of both capacity and opportunity, making their impact potentially the greatest: they know your organization’s controls and weaknesses, and they may have a specific grudge whose detrimental activation is enabled by the “keys” and credentials your organization has given them.

The prevalence of these conscious, malicious insiders is, however, generally somewhat lower than that of the unwitting. Unwitting insiders are now equipped with capacities and opportunities to do inadvertent harm on a more frequent basis, from posting sensitive materials to cloud storage or wrongly sharing sensitive data with suppliers to using information in a way that violates regulation or enabling an outside attacker to take over their credentials. Many organizations’ programs focus on the conscious, malicious insider and disregard the unwitting, but ultimately a well-crafted program should contain approaches for both.

From our perspective working on these issues at KPMG in Canada, the top two insider threats to sensitive business- and personal information alike tend to be:

1. IT and security professionals whose elevated, job-necessary privileges give them access to all systems, applications and data
2. Other professionals with direct access to the data because of their job responsibilities—including people who apply for these positions for the express purpose of gaining that access in order to accomplish a planned threat objective.

A variety of influences to the insider threat are also prevalent. Common among these are foreign intelligence agencies and competitors with corrupt intent, personal financial challenges that lead to desperation, political or social activism, the desire to finance an external career move or start a business, fear of being laid off, and employee disgruntlement at a lack of pay raise or bonus.

To help mitigate these types of threats, organizations should consider some key questions that can help them improve the governance of insider risk:

• Have we defined our trade secrets and assessed their financial value?
• Who is in charge of insider threat management?
• What is the company’s strategy?
• How many detected security incidents related to our trade secrets are attributed to insiders?
• What was the impact of these insider incidents?
• What are other companies in our industry doing to manage insider risk?

It should come as little surprise that insider threats can cause more damage to an organization than an external cyberattack. However, most organizations lack awareness of insider threats and the strategies necessary to prevent or mitigate breaches.

What they need to do is adopt new approaches to identification and management. The conventional approach of focusing almost exclusively on external cyberattacks primarily through technological controls provides little defense against malicious insiders—or anyone else who happens to be in the wrong place at the wrong time. Critically, successful insider threat programs bring together stakeholders from across the organization—from Human Resources, administrative personnel and legal counsel to privacy consultants, information security personnel and IT groups.

The time to get this right is now.

In subsequent posts, we’ll explore insider threats from the perspective of information security and IT personnel, while reinforcing the message that the management of the insider threat challenge is not solely an IT problem.