Risk in a Digital World - Dealing with Insider Threat

Date:   Sunday , October 16, 2016

Headquartered in Bengaluru, the entity specializes in providing enterprise solutions for content and business driven collaboration projects.

Digital Transformation is Board mandate for several enterprises. Digital is reshaping markets, dissolving industry barriers and enabling unprecedented information flow that brings down the cycle time to business. While a lot has been written about the immense opportunities with Digital, it is important to recognize the risks that come with it. Gartner states that, close to 60 percent of digital business will suffer major service failures due to the inability of the IT security team to manage digital risk in new technology.. Marking the first time, the United States has charged state-sponsored individuals with hacking to disrupt the networks of key U.S industries, just this month we saw an announcement by the U.S Justice Department that it had indicted seven hackers associated with the Iranian government. This allegedly caused tens of million dollars in losses to affected institutions and businesses. The continuing legacy of targeted breaches Sony, JP Morgan, Sony, AT&T, Vodafone, Home Depot etc. determines that this problem has moved beyond just the IT function to functional heads, senior management and corporate boards as well. The ramifications of a default are many rights from legal, financial to a risk on brand and reputation.

Corporate cyber security efforts are often directed towards the threat of outsiders trying to hack into an enterprise network but the biggest security threat could come from within an enterprise, in the form of their own employees or ecosystem who could unwittingly expose data and network to very great danger.

Insider Threats pose a great risk to enterprises because of the access that employees and contracts have to sensitive information. This includes accidental dissemination of data through negligence, as well as deliberate misuse via theft and so on. Protecting information and assets is top objective of any enterprise. Enterprises spend a lot of time and effort to put in place the right protections across people and networks. This is not a one-time effort, but needs to be reinforced continually across the lifespan of the enterprise. At the same time, it can\'t be at the cost of inhibiting collaboration or lowering productivity by cutting information into pieces before it is accessed. Good corporate practices always include enterprises remaining vigilant and aware about the risks being faced. They also collaborate with peers in their industry to understand good practices and its applicability for adoption within their enterprise.

On an average day, employees are likely to log on to online services such as personal mail and drop-box, send confidential files to the nearest printer or store data on USB drives. It is quite likely that some of them may accidentally send an email to the wrong email address and not realize, or realize post facto. The first step in the risk mitigation process is acknowledging the issue and investing in a risk mitigation plan. The next step is to agree on an action plan in the unlikely event that such an issue is discovered despite all the protection measures deployed.

Some ways of risk mitigation including:

Establishing clear cyber security guidelines:,/b> While human error can never be completely eliminated, these incidents can be significantly brought down to negligible levels by establishing a comprehensive security policy that includes do\'s and don\'ts. Equally important is to disseminate the policy and conduct regular employee trainings to ensure that they adequately understand the policy and its implications. This needs to be followed even in the case of Machine-to-Machine (M2M) accounts to ensure safeguards such as access restrictions and expiring passwords.

Role Based Authorization: Defining employee roles clearly together with clear access rights is paramount. It is also important to define what users can do with the data (read only, write/edit)

Automating the process: Safeguarding sensitive information involves implementing technologies such as data loss prevention software, geo-fencing, time fencing, database / file encryption technologies to encrypt both data in rest as well as in motion, remote wipe, identity management, multi factor authentication and data access monitoring solutions. Any unusual employee behavior can be easily tracked with solutions such as user and entity behavior analytics. Strict control must be enforced over remote access methods.

Continuous risk monitoring: Proactive monitoring to identify insider threat risks on a continuous basis is crucial. Thanks to continuous monitoring software and advanced data analytics, it is now possible to automate the process of real time analysis. It would be good to set up a small working group to regularly monitor, review exposure and report to the Board.

Change Management plays a very crucial role as always. Consider how Lockheed Martin managed this with their program instituted more than two years since a contract employee shot and killed 20 colleagues at the Washington Navy. Even before they launched the program, Lockheed started by convincing employees that an insider program was in their best interest. They made sure that their employees understand the implications both to their overall security as well as their jobs. Even a slight tweaking of language made a good difference. Employees in a focus group rejected a message that urged them to report odd behavior. However when the word report was replaced with engaged it was well accepted. They did want all employees to be engaged. End of day employees were not okay to create a culture of snitches.

Taking necessary action to mitigate risk is critical, but it is important to recognize that in the end, everything hangs on trust. Trust both by the enterprise and by the stakeholders. Transparency is paramount in execution, and if there is a program in place it needs to be disclosed and made transparent to all its stakeholders. Lack of such communication will seem like the stakeholders are being mistrusted. Stakeholders will need to understand both their stakes and their responsibilities to lead from the front and take ownership for successful execution.

The real keywords are trust, openness and transparency to make sure that this threat is being addressed effectively. Like a famous quote goes-\'If you have built castles in the air, your work need not be lost; that is where they should be. Now put the foundations under them\'. Meticulous execution including change management is absolutely non-negotiable to ensuring success in effectively managing this threat.