Challenges Posed by Insider Threat
Insider threat is a serious issue facing many organisations, but there is quite a bit of confusion surrounding the topic. Before properly addressing insider threat, we must first understand the concept and prepare ourselves to face the challenges.
I have spoken with a wide range of insider threat specialists over the years, and there seems to be common ground among them all. Namely, the confusion, noise, and misinformation (or lack of information) that has been provided to the organisations with whom they work.
This confusion has resulted in many failures and shortcomings within these organisations as they attempt to curate their insider threat programs. The inability to reduce their own risk profiles has left these organisations exposed and unable to maximise on their investments. This is why it is so important to understand the core issues caused by insider threats rather than relying on substandard information.
There is no one-size-fits-all answer for insider threat, as every organisation requires an individual assessment and operates under its own protocols. However, there are ways to address insider threat that go beyond simply “checking a box” to satisfy regulatory requirements. A pragmatic approach based on the needs of the organisation will be far more effective than just going through the motions.
It should be noted that the term Insider Threat has fallen out of favour with many individuals and organisations. It is seen as a negative and played-out term, and many have chosen to say Trusted Insider in its place. Personally, I don’t particularly care for either term, but as I have not come up with an alternative, we will run with both. Ultimately, the goal is to identify any person within an organisation who can be seen as a threat – that is, someone who is capable of doing harm.
In sitting down with multiple organisations to understand their current risks and risk management strategies, I’ve come across several common themes. These are three consistent challenges that I’ve observed among these organisations:
- Inability to identify a lack of internal skills and required knowledge on insider threat
- Looking for a simple solution through the use technology
- The Minority Report phenomenon
Let’s elaborate on each of these common challenges.
Lack of Internal Skills
As insider threats come from the inside, it is vital to have internal skills to be able to handle them. Without these skills and necessary knowledge, organisations often look to alternative options. Such options often include:
- Looking to the security team – usually the Security Operations Centre (SOC or Cyber-SOC), as they have a wide catalogue of risk skills and knowledge not generally held by other employees;
- Utilising investigation teams within security, integrity, or risk management teams, or organising panels composed of members from these teams and Human Resource;?
- Outsourcing the investigation to bring in necessary skills as they are required.
None of these potential actions are inherently bad, but all of them share one common problem – they are reactive. That is, they are utilised after an incident has occurred and damage has already been done. They do very little to proactively identify a threat or formulate plans for future security. They can also be a significant drain on resources. It is also important to consider that any incidents that have already occurred often need to be reported to regulatory agencies and may even appear in tomorrow’s headlines.
Reliance on Technology
Technology is incredibly useful and powerful, but not for the sole fact that it is technology. It is merely a tool and it should be used as such. Your approach should never start with technology. Over-reliance on technology could lead to using the wrong tools which might do more harm than good. Be sure to perform thorough research on any technology in which you may be interested. Remember that most things are not always as they seem. Especially if it is your neck that is on the line, don’t fall for marketing hype just to check a box or to find a magic answer. You won’t be doing any favours for either yourself or your organisation.
If you are interested in learning about technologies that could be worth considering within your organisation’s toolkit, then reach out to speak with us.
Remember that technology is just one tool in your bag of resources, and that all of your solutions should start and end with people.
The Minority Report Discussion
You may be wondering how a 2002 science fiction film relates to a professional discussion about insider threat. Allow me to share you it will soon make sense.
In Minority Report, there are specialised police departments who apprehend criminals based on premonition of crimes provided by psychics. These psychics are known as “precogs.” Throughout the movie, officers arrive at the scene at the very moment a crime is about to be committed. There are constant discussions about the ethics and morality of these tactics, but it makes for a very exciting film.
So, how does this relate to insider threat? Well, I am often asked if there is a way to catch a person just before they actually cause harm to the organisation. For example, is it possible to capture the moment when an employee is about to commit fraud or breach a company policy? Essentially, can we apprehend a member of the organisation before they hurt us?
While I understand the thought process, this is a dangerous question. Firstly, and most importantly, nobody is guilty until they have actually committed a crime or broken a policy. Unless you already have a criminal investigation opened based on prior activity, you must steer clear of these pre-emptive strikes. They are best left to the professionals in law enforcement or on regulatory boards.
As important is that you shouldn’t be thinking this way in the first place. You should seek to understand why an employee feels the need to carry out harmful activities. This can help to address root causes and encourage organisational changes that will be more beneficial in the long run. You may find my blog on the ‘Four Principles for Understanding a Person’s ‘Risk Cocktail’’ helpful.
Also, if you are only addressing risk in a reactive response, then that can have insignificant consequences.
Hopefully you now have a clearer understanding of a few of the challenges of insider threat. In our next blog, we will talk about the three main types of insider threat and the importance of common language.
You heard me mention at the beginning of the blog that I am not a fan of the terms Insider Threat or Trusted Insider; do you have a preference or a better term?
If you have found value in what we have shared, feel free to check out other blogs by the Unearth team and subscribe to our Newsletter. And if interested in the book ‘Risk Starts and Ends with People’ being released September 2021 then feel free to reach out to learn more or share your thoughts on the blog or any information we have provided, we would welcome hearing from you through firstname.lastname@example.org