What’s the difference between a breach caused by malicious intent versus one borne of ignorance? If they both have the same outcome, does it even matter? Jan Zeilinga, Founder and CEO of NextID, dives into the dangerous world of insider threat and explains why it’s so important for organisations to align their programs with the biggest risk factors.
What is an insider threat?
Today we’re in a digital world, and insider threat from this context is really around the ‘insider’: an employee, business partner, consultant. Someone who has some level of access to the internal workings of an organisation. The threat element is them doing negligent or malicious acts, which can result in harm to the business. So in the old days of the manual till, employees could steal money out of the cash register. Today, employees are knowledge workers, and one of the most valuable things that can be stolen is data. That’s an example of insider threat.
So this isn’t a new concept, but it sounds like the game has changed and there’s much more opportunity to do significant damage. Is that the focus right now?
Without a doubt. Think about an employee sitting down with a laptop – they need to have local admin rights to install software. So they get their local admin rights and when they are using those rights they might click on a phishing link that then exploits those rights. Next thing, the nation state has hacked into the internal network and is siphoning IP or causing disruption.
That’s a worst-case scenario, but it also could be just a disgruntled employee who may have elevated rights in the system. They get annoyed and want to leave, so they delete a set of files and backups – all of a sudden the business comes to a grinding halt. The harm of insider threat today is much larger than yesterday.
So from those examples, the phishing one is a product of ignorance or poor training, and the other is malicious. They’re clearly different in how the event occurs, but the outcome is the same. What are your thoughts on how they both start to manifest within organisations?
The ignorance one is really people having too much access – access they don’t need and don’t fully understand. Whereas the malicious one, people can be motivated for a number of different reasons. It could be a political motivation or about self-gain. But they can also be motivated by external factors.
It’s not uncommon for cyber criminals to plant people in organisations or coerce people into doing a particular malicious act. I think we’ve got to be very aware that it’s not just someone doing the wrong thing by accident. Sometimes the motivations may not be as straightforward as we originally thought.
Thinking about privileged access management, identity governance, onboarding, proofing – is it even possible to have one person in the organisation responsible for everything, or should we be doing something different?
When things go wrong in an organisation and significant harm is caused, it really goes all the way up and it stops with the board. The board has a risk committee and they need to be across the insider threat. They’re responsible for owning the aggregated risk within an organisation.
But once it comes down from there, it gets a little bit murky. In most of the projects I’ve worked on, it’s treated as an IT tool. But while IT owns the software components, they actually don’t own the service; they don’t own the solution and they don’t own the risk. The risk is owned by maybe the CRO on behalf of the risk board. The CISO probably owns the business surface. So the CISO’s team would be in charge of saying who can have what. The CIO would probably own the infrastructure, or the cloud hosted server. And then you’ve got the COO who would be holding the operational risk on a day-to-day basis.
So I don’t think it’s possible to have a single ownership. It’s more common to have it split between the CRO, the CISO and the CIO, with the COO maybe sitting at the top of that.
Are there any industries managing this threat better than others?
The industries that kind of lead the way are the financial institutions, the big end of town. This is not their first run at trying to solve the insider threat. So in the mid-2000s, they spent lots of money trying to resolve the insider threat, especially around rogue traders – businesspeople who have the ability to buy and sell and then cover up their tracks. They kind of led the way in the insider threat capability and they today invest millions and millions of dollars to resolve the insider threat problem; they really understand it.
I’ve been to a number of other organisations where they don’t have a whole program that’s constructed with a good change control process, a good understanding of the benefits they’re trying to achieve. They don’t have a way to measure it and then report it back in a way that says “We’ve reduced the number of privileges in our environment by X. We have no orphan accounts. We know who’s on our systems. We’ve performed verification checks on all these people.”
Coming back from the big end of town, there seems to be a very large void between them and the rest of the industry.
Do you think there’s a particular reason for that?
You’re not going to like the answer, which is that they’ve been pushed to by the regulators. I’ve never been on a project that hasn’t been pushed by either internal or external audits, with some significant audit findings that have to be resolved. It’s always come from that audit level: “We must do X or else we are going to be held accountable to the board or the risk committee.”
That’s the big difference. I’ve worked the banking industry since 1997, and these projects – no matter the cost benefit or the risk reduction – it always comes down to “We must do it.” Therefore, they do it and they do it well.
What advice would you give to an organisation that’s concerned about insider threat?
The first thing is to not immediately jump to the obvious things – like you must do two-factor authentication. Two-factor authentication won’t solve all of your insider threat. It’s really important to go beyond what the vendors talk about and have a think about what insider threat actually means to you and your organisation. What are the highest risks and threats that you need to manage? Then you can align your programs with those threats and risks.
You also need to do this as a cultural organisational change. It can’t be done as a side project. It needs to have proper buy-in and people with authority making the calls. That’s the best advice I can give: make it well-structured and get people with authority involved.
Want more insight into the world of security, identity access management, biometrics and more? Get your fix with the IDentity Today podcast, hosted by Daltrey MD Blair Crawford. You can start on Episode 1 here or listen via Apple Podcasts, Spotify or your favourite podcast app.