INSIDER THREAT…scary words that conjure up names like Edward Snowden or Aldrich Ames (a CIA agent turned KGB for almost a decade). These high-profile, widely publicized cases garnered much attention prompting organizations to take a serious look at their internal safeguards and security practices. While we continue to see significant time, money, and resources invested in this area, there still seems to be a blind spot when it comes to addressing insider threat. In a 2020 report published by the IBM Security Division (LQZ4RONE (ibm.com), the cost of recovering from an incident caused by a non-malicious insider was over $300K per instance with an average annual cost of over $4.5M. With such high stakes, efforts to inform and engage employees must be at the forefront of every organization’s security and risk management initiatives. I hear you say, “But Jay, we have had insider threat training for a long time, shouldn’t all the insiders be aware by now?” In short, you are right. There are numerous awareness efforts, training days, and computer-based training modules already in existence. So why do insiders continue to cause so many headaches? Of course, there is no “one” answer to this seemingly simple question. However, we can identify and address two areas that could stand a bit of improvement: design and engagement.
What if our security efforts involved building a tall gate that was almost impossible to breach and would only open when the person inside the gate wanted it to? This very important gate would be used by many in their daily work environment. However, for the gate to open, a person would need to stand on one foot for 5 minutes. Let us also imagine a six-inch fence on either side of the gate that one could easily step over to get to the other side. From a security expert’s standpoint, every time someone steps over the fence the ever-present enemy on the opposing hill is shown just how easy it would be to attack the city. The security expert pleads with people to leverage the patented stand-on-one-foot method. Unfortunately, people are busy and must get their work done so they naturally choose to cross over the six-inch fence.
Why would anyone build such a flawed system? The reason in cyber security is typically varied. For instance, the tall-gate/short-fence scenario is the only solution (sole course) that can protect the city, a limited budget could be another factor, or a need to keep the short fence for those who could not integrate or adapt the legacy environment.
Designing a thoroughly integrated and secure environment is ideal however not always attainable. All the more reason to focus on efforts to better integrate security with user experience. Develop solutions for your employees that are realistic and doable within a fast-paced work environment. Balance the risk of non-compliance with the risk of threat. If major changes are required, be sure to remove the old way of doing things entirely and, if possible, recruit your marketing team to assist in properly messaging the change. Just be aware and accept that the reaction to change will never be 100% positive. But with leadership buy-in and a carefully laid plan you will gain credibility and make way for a more positive transition period.
Dynamic and Engaging Education
At some point most of us have taken a Computer Based Training module or CBT seemingly developed by the most boring people you know. Those CBTs usually do little more than give compliance efforts a good reason to check a box. It is essential to field engaging training that validates the application of knowledge gained instead of facts remembered. Encourage the retention of knowledge through rewards. This can range from something as simple as a certificate, to kudos given during a trivia challenge held in public meeting spaces. I once had a boss that would hide questions in the bulletin board at work. Those that read the new bulletins first were usually rewarded forfinding the question and supplying the answer. A good place to start is by looking at other educational programs that work well in your environment and pull from there. Even better, seek out your most successful competitor and find out what they are doing.
With these two aspects of security added to your assessment and engagement routine, when the next threat presents itself, you’ll know your people are better prepared to act, without stepping over the fence.
Milton (Jay) Jump CISSP, PMP, TS/SCI
Jay is an Information Technology Project and Security Program Manager with a Masters in Systems Engineering and a 22 year of history working in the Defense & Space industry.