A long time ago, I learned that everything written should start with the BLUF (Bottom Line Up Front). So, let me start by saying that Insider Threat is real; it is with us every day. It is the wolf inside the door.
Or as stated by Walt Kelly in Pogo:
“We have met the enemy and it is us.”
Nations, companies and individuals alike have been betrayed by individuals in positions of trust – by insiders. The reality is that insider threat has been with us for a very long time, but thanks to Edward Snowden, Chelsea Manning and – most recently – Harold Martin, a contractor for NSA, the discussion has become very heated. Despite this laser-like fixation on insider threat, it is still not well understood and even less effectively addressed.
Facts About Insider Threats
1. Insider threat is not new. There has been a long history of insider threats ranging from Guy Fawkes, who tried to blow up the English House of Lords, to Snowden, who exposed NSA’s communications monitoring program. We can take it back to biblical times and cite Judas as an insider threat. In each case, the individual exhibited identifiable signs that went unreported due to the unwillingness or inability of others to accept the possibility that a trusted individual might really be a danger.
2. Insider threats are not always employees. They can include contractors, business partners, auditors, visitors…the list goes on. And not all insider attacks are malicious; the insiders may be the unknowing pawns of a malevolent colleague or victim of a poorly configured system or simply the careless initiator of unintended consequences. But one thing is crystal clear: insider threats are a costly problem.
Ponemon Institute’s 2016 research into cost indicated that the average annual cost ranged between $770K and $2.2M annually. And in today’s world, with the vast amount of digital information, the impact of an insider compromise can approach unparalleled levels.
But for too long, organizations have been taking the ostrich approach or as Mac Thornberry stated:
“We stick our head in the sand and pretend we are somehow safer if we do not know. Or to paraphrase Herbie Mann, the noted musician, “if you keep your head in the sand, you can’t see where the kick is coming from.”
Is it really possible to detect and defend against insider threats?
Well, not if we continue to ignore them. Research by organizations, such as the Carnegie Mellon University, indicate that there are deep cognitive biases that cause organizations to downplay the threats posed by insiders. And when recognized, organizations tend to seek advanced technology solutions rather than addressing the more difficult human problem.
Dr. David Charney’s research indicates that “strongly motivated [insiders] have demonstrated the capacity to successfully discern the seams between the most well thought out protective measures – and have insidiously slipped right through.”
Although technical solutions may be viable at the edge of a digital environment, at its very core insider threat is a human problem demanding human solutions. So, let’s have a straightforward discussion about insiders and preventing insider threat. It is NOT about implementing technical cybersecurity solutions – there are already sufficient writings that provide this information. It’s about looking at the entire environment where information exists and the people within that environment. It’s also about creating a culture of security within the organization, which is a blend of cybersecurity education and awareness, best-of-breed tools, and security policy.