Amid the widespread occurrence of cyber-attacks perpetrated by both external individuals and groups seeking to exploit sensitive information, organizations also need to recognize insider threats, either from their own employees or even third-party contractors. The rise of insider threats to data and information security is one increasingly growing risk many security and business leaders are grappling with.
Recently, Dorene Rettas, Co-Founder of Cyber Security Tribe, had the opportunity to engage in a conversation with Shawnee Delaney, a former intelligence officer with extensive experience in counterintelligence and cybersecurity, now CEO of Vaillance Group. Delaney's background reads like a spy novel, with years spent recruiting spies for the U.S. government. Her journey traversed through clandestine services and cyber emergency response teams, providing her with a unique vantage point on the vulnerabilities inherent in human behavior within organizational structures.
Insider Risks and Insider Threats
Delaney articulated the critical distinction between insider risk and insider threat. Insider risk encompasses the inherent vulnerabilities posed by human actions, such as shortcuts or errors, driven by factors ranging from stress to fatigue. All companies, regardless of size employing humans inherits insider risk. On the other hand, insider threat embodies malicious or unintentional actions undertaken by insiders, posing significant risks to organizational security. Both forms of risk are pervasive and necessitate proactive measures for mitigation. Insider risk, is “left of boom,” before it happens, Insider threat is after something happens, whether malicious or unintentional.
Insider Threat Mitigation Efforts
One of the primary challenges organizations face is garnering buy-in from stakeholders and employees regarding insider threat mitigation efforts. Delaney advocates for a transparent and collaborative approach, urging organizations to recognize and acknowledge the existence of insider risks and threats. By fostering a culture of security awareness and emphasizing the collective responsibility for safeguarding sensitive information, organizations can engender a sense of ownership and vigilance among employees at all levels.
Delaney speaks of how it is important to help support improved cyber discipline for employees in their home away from work, which not only will help keep their family safe, but also install good cyber hygiene and muscle memory, which is then taken back to the office ultimately improving the organization’s cyber resilience.
Employee morale is also important to be considered within an organization to reduce the risk of insider threats. Delaney states “Nine times out of ten the biggest problem is employee morale”. Pulse and/or climate surveys will help discover these issues, it could come down them not feeling respected or valued. Ultimately, these employees are likely to become potential insider threats if no interventions or support are offered, having this knowledge can help organizations take proactive and supportive measures.
Insider Threat Training and Awareness Programs
At the heart of an effective insider threat mitigation strategy lies comprehensive training and awareness programs, which should include all levels of the organization from entry level to the C-suite. There should be great importance placed on enterprise-wide training initiatives that educate employees on identifying behavioral anomalies, reporting suspicious activities, and adhering to security protocols. Furthermore, robust governance mechanisms, including clear policies and enforcement frameworks, are indispensable in fortifying organizational defenses against insider threats. This may go awry when, for example, an organization may have a data classification policy, although it might exist, the employees are not aware of it and do not adhere to the data policy.
Counterintelligence Programs
When an organization embarks on a counterintelligence program to help protect themselves against insider threats, Delaney recommends human risk assessments – which review the organizations biggest vulnerabilities, which can differ from each industry and company. The stakeholders are then interviewed for potential issues. For example, an overlooked issue, such as low employee morale, may be discovered. An important aspect for an effective program is to have a steering group who have relationships with all the relevant stakeholders.
How to Address Insider Threats Internally
For those organizations looking to reduce the chance of an insider threat, Delaney emphasizes the significance of meticulously managing the employee lifecycle to mitigate human risk. From recruitment to termination, organizations must prioritize cultural alignment, transparent communication, and seamless offboarding processes. By instilling a sense of belonging and accountability throughout the employee journey, organizations can mitigate the risk of insider threats emerging from disgruntlement or dissatisfaction.
To conclude, the conversation with Shawnee Delaney highlighted that by conducting human risk assessments, fostering collaboration among stakeholders, and prioritizing a culture of security awareness, organizations can build resilient frameworks capable of withstanding insider threats.
