Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

12/7/2018
10:30 AM
Richard Ford
Richard Ford
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

Insider Threats & Insider Objections

The 'tyranny of the urgent' and three other reasons why it's hard for CISOs to establish a robust insider threat prevention program.

There’s no shortage of good coverage in the media on the important topic of insider threats.  Yet despite the headlines, according to a 2018 report by CA , only 36% of companies surveyed say they had what they considered a mature insider threat program in place. So where is the disconnect? Based on my own experience and that of my CISO friends and colleagues, there are several factors that blunt attempts at establishing a robust insider threat program, among them: long “to do” lists, optics, privacy, mindshare and culture.

The never-ending "to do" list. If it’s not multifactor authentication (MFA), it’s endpoint detection and response (EDR). If it’s not EDR, it’s identity and access management (IAM). If it’s not IAM, it’s BYOD. You get the idea – every new threat (or acronym!) requires a custom-tailored solution, and the list of things to address keeps growing. Thus, CISOs, often caught by the tyranny of the urgent, are forced to make mindful but difficult tradeoffs regarding priorities. In that calculation, insider threat often doesn’t make the cut.

The problem of optics. Maybe you’ve taken a long look at your business and decided that the lack of an insider threat program is significant enough that you should address it. Good for you. Now you’ve got to get past the set of objections I file under the broad heading of "optics." Insider threat just sounds negative. For what it’s worth, I absolutely hate the name because it conjures up visions of shady characters skulking around the water cooler planning dark deeds, and that’s absolutely not how we want to view our coworkers.

While there are plenty of documented examples of employees "going to the dark side," the most effective insider threat programs are focused on protecting employees from themselves, each other, and attackers. The intent of the program is almost wholly positive … but the name is most definitely a negative.

It’s made worse by cultural issues. While I wish it were otherwise, it’s also best to admit that there are a lot of different relationships and dynamics that exist between employee and employer. Trust can be an issue, and in many companies, there exists a distinct sense of "them" and "us" that separates executive management from the workforce – something that acts to the detriment of trust. On top of that, you may have additional challenges from diverse cultural norms if you are a global company operating in different parts of the world. What’s okay in America may be anathema in Zimbabwe, and vice versa, ranging from muddled privacy regulations and employment laws to multi-department, multi-national tensions. Do you really want to jump into that?

The employee privacy issues. Users have legitimate concerns about how much they reveal of themselves to their employers. Not only are there ethical questions, but there are a mish-mash of laws that dictate what a company can and cannot do with respect to employee privacy. This becomes a really tough issue for CISOs.

Mindshare – or making the boss happy. The job of the CISO is not as simple as just protecting the company; it’s about making the boss happy – and that boss is ultimately the CEO or the board of directors. If the risks posed by insiders aren’t part of his or her mindshare, insider threat programs won’t look like a good investment. You can do some work to educate, but too often we find that we are faced with people whose minds are already made up.

Those are the objections. It’s your job to figure how to overcome them. But here are two suggestions:  

First, be clear about the facts that justify the cost of an insider threat. The news is full of stories that chill to the bone with respect to misbehaving insiders. No company can afford to ignore these real-world incidents, and you can make the case about the damage they cause with hard numbers.

Second, take the optics issue head on. Start by having a real dialogue within the company about how programs like this are a force for good not evil. But make sure that your actions match your words. For example, a well-implemented program doesn’t actually have a negative impact on privacy. It’s all a matter of how you structure it. Yes, there is more up-front work required to do it right. But by putting in the effort, you can also make adoption of the program a way to meaningfully increase employee privacy as well as safety and security.

Related Content:

Dr. Richard Ford is the chief scientist for Forcepoint, overseeing technical direction and innovation throughout the business. He brings over 25 years' experience in computer security, with knowledge in both offensive and defensive technology solutions. During his career, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RFordOnSecurity
50%
50%
RFordOnSecurity,
User Rank: Author
1/15/2019 | 8:18:28 AM
Re: No end
Definitely agree that looking at the problem from many sides is critical - it's fatal when we take a single perspective and don't look at it from the different stakeholders are coming from. 
michaelmaloney
50%
50%
michaelmaloney,
User Rank: Apprentice
1/15/2019 | 1:55:07 AM
No end
There is no end when we discuss about the insider status of living. It needs to be viewed from different angles in order for us to grasp what the whole idea basically stands upon. It might not even make a huge difference at the very beginning but as soon as we see progress, it would most certainly be of a huge scale.
RFordOnSecurity
50%
50%
RFordOnSecurity,
User Rank: Author
1/3/2019 | 8:27:38 AM
Re: At the end of the day
Hi Cameron. Yes, I think that's right - and in fact, the breakdown of employee/employer trust is a major challenge that companies need to get past. It has to be a relationship; a lot of security goodness happens when there are strong relationships between the senior leadership and broader employee base. Without that, it becomes a zero sum game, and the imbalance can really cause some challenges. 
CameronRobertson
100%
0%
CameronRobertson,
User Rank: Moderator
1/3/2019 | 7:13:05 AM
At the end of the day
At the end of the day, I reckon that your employees need to have a certain trust in your company or loyalty, if you're expecting them to do something for the safety and security of your company, then you also have to make sure that you reward that service to the company somehow too right?
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
Capital One Breach: What Security Teams Can Do Now
Dr. Richard Gold, Head of Security Engineering at Digital Shadows,  8/23/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2016-6154
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
CVE-2019-5594
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
CVE-2019-6695
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.
CVE-2019-12400
PUBLISHED: 2019-08-23
In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this im...
CVE-2019-15092
PUBLISHED: 2019-08-23
The webtoffee "WordPress Users & WooCommerce Customers Import Export" plugin 1.3.0 for WordPress allows CSV injection in the user_url, display_name, first_name, and last_name columns in an exported CSV file created by the WF_CustomerImpExpCsv_Exporter class.