Insider risk management is gaining momentum, as organizations increasingly accept that cybersecurity is a human challenge that requires a human solution.
The data shows that humans are a common factor in cybersecurity incidents. Gartner recently revealed that by 2027, 50% of CISOs will formally adopt human-centric design practices into their cybersecurity programs. The firm also predicts that by 2025, 50% of organizations will adopt an insider risk program.
What sets insider risk management apart from traditional cybersecurity programs is the idea that cyber-attacks are more likely to be avoidable when an organization puts their people at the heart of their cyber strategy.
In other words, employees are less likely to pose a security risk when they are empowered and motivated to follow security policies and procedures in the first place.
Want to stop employees bypassing security controls? Make security a frictionless business enabler. Want to stop employees taking sensitive IP when they leave? Create an environment that makes them not want to leave in the first place, and continuously test and validate controls. Want to stop employees falling victim to social engineering and credential sharing? Arm them with the tools and education they need to know when they’re being conned.
This might sound overt, but it highlights the important truth that employees provide the most power in mitigating an organization’s security risk – but only when the environment is right.
Technology alone cannot stop a cyber incident, but people can. The challenge (and opportunity) is giving them the tools, skills, and motivation to do so. This starts with changing misconceptions of insider risk programs and the negative connotations that besiege them.
Organizations that clearly define their insider risk program, and communicate the values that underpin it, stand far greater chance at turning their employees into active security participants – not sitting ducks.
MITRE Corporation recently presented a three-day Masterclass on this topic at the Australian Insider Risk Centre of Excellence – a new initiative by the Australian Cyber Collaboration Centre, MITRE, and DTEX Systems that aims to fast-track Australia’s insider risk capability maturity.
Dr. Deanna D. Caputo is the Chief Scientist of Insider Threat Research & Solutions and Senior Principal Behavioral Scientist for Insider Threat at MITRE. Last month (March), Dr. Caputo presented at length the most common misconceptions of insider risk programs, drawing on her own data-driven research and 15 years’ experience in field.
Here’s a wrap of the top misconceptions based on Dr. Caputo’s findings:
#1. An Insider Risk Program Requires Extensive New Data Collection on Employees
More data is usually not better. It only results in high rates of false positives that overwhelm analysts and take them away from the picture they should be focused on. Touch point solutions are notorious for this, capturing superfluous data, clogging systems, impacting performance and subsequently the employee experience and productivity. The biggest concern is when tools capture the wrong data at the wrong time – all the ‘creepy’ stuff, like screen capture, doesn’t do anything to inform proactive risk mitigation. It only erodes trust, disenchants employees, and slows down systems. A well-considered insider risk program protects employee privacy and only captures the actionable data from human sensors, organizational sensors, cyber sensors, and physical sensors.
#2. An Insider Risk Program Will Profile Employees and Put the Organization at Legal Risk
Evidence-based profiles of malicious insiders do not exist. There is no evidence for them. In addition, indicators focused on the types of factors relating to equal-employment opportunity are ineffective (e.g. age, gender, race). Good people do bad things all the time, but it doesn’t make them inherently bad. A sound insider risk program does not profile employees because of this. Instead, those programs focus on specific behaviors and patterns of behaviors that are shown to be associated with increased risk.
#3. An Insider Risk Program is Focused on Penalizing Employees
The bedrock of a successful insider risk program is a security-conscious work environment built on trust, respect, transparency, and bi-directional loyalty. It’s unreasonable to think that penalizing a well-to-do employee for accidentally clicking a dodgy link or falling for a new creative attack vector could possibly be conducive to positive behavior change. Penalizing employees only makes them feel vulnerable and exposed, which is more likely to have a disarming effect that creates rather than reduces risk.
#4. Other Parts of the Organization (Compliance, HR, Physical Security) Already Deal with Insider Risks
While these departments are critical for tackling insider risk, a siloed approach doesn’t work. Insider risk programs are governed by a dedicated team comprising one or more representatives from each group. The insider risk program acts as a central repository (often called a ‘hub’) to correlate datasets and insights from across those different parts of the organization. This collaboration is essential and has often been the missing part of the insider risk management puzzle. One department might have an important datapoint that is not concerning in itself but is very concerning when combined with other datapoints from other departments.
The insider risk program ‘joins the dots’ between different datapoints that nobody else in the organization is joining together.
For that reason, insider risk programs do not replace other groups but offer a collaboration that draws on the whole-of-business insights that are needed to identify and deter risk.
If there’s one key takeaway from the Insider Risk Masterclass to be had, it’s that insider risk programs are not successful when they are cyber-first or cyber-only.
Dr. Caputo says insider risk programs bring together the psycho-social and cyber-physical in a way that no other group in an organization does.
“Insider risk programs that emphasize only the cyber are missing out on important context and are not using the most effective tools available to them,” she said.
“The sooner we start using what we know about humans to support them and protect our organizations, the sooner we can reduce insider risk.”
Behavioral Science & Data-Driven Research
MITRE partnered with DTEX in 2020 to conduct a data-driven study of the modern insider risk landscape to assist Five Eyes critical infrastructure entities challenged by evolving threats, including nation-state actors and sophisticated adversaries targeting trusted insiders.
Request a briefing to learn more about the research and how you can apply our learnings to drive a robust insider risk program.