Since the betrayal of Caesar by Brutus the problem of how to determine and counter the threat from insiders has been a challenge. Recently, with the high profile cases of Chelsea Manning and Edward Snowden it might seem that this challenge is impossible in the context of information security.
After all, if governments with all their resources cannot protect against insiders what chance has a hard-pressed commercial company, more focused on delivering efficiency than watching what its staff are getting up to?
To answer this question we should consider what the insider threat looks like and what can be done to counter its most realistic impacts? First of all, what is an insider? When organisations consider this threat they are usually focused on the actions of their employees.
A typical definition for an insider is an individual who exploits their legitimate access to an organisation’s assets for unauthorised purposes. This definition includes both physical and logical access for individuals who may not be employees. Insiders can include business partners, contractors, service providers and consultants, in fact anybody with legitimate access.
Insiders have a significant advantage over others who wish to exploit the information assets or inflict damage. As well as valid access credentials they may have detailed knowledge of the organisation’s policies, working procedures and technology, from which they can identify vulnerabilities to exploit. They may also be able to cover up their activities such that they go unnoticed for years, making the impact of their actions even more damaging.
The US 2012 CyberSecurity Watch Survey1 found that 53 per cent of organisations that responded had experienced at least one malicious insider incident. In the UK, a 2014 security survey2 identified that at least 58 per cent of large companies had suffered a staff related breach. As these figures are only indicating the detected incidents it is clear that the insider threat is significant and needs to be addressed.
The Centre for the Protection of National Infrastructure3 (CPNI) has been collecting information on known insider activity and has identified some common themes on the types of individuals involved and their motivations. They have analysed over 120 UK-based insider incidents across a range of industries including the public sector, identifying five main types of activity4:
- unauthorised disclosure of sensitive information;
- process corruption;
- facilitation of third party access to an organisations assets;
- physical sabotage;
- electronic or IT sabotage.
The most frequent activities are disclosure and process corruption, accounting for most of the incidents. They also undertook a demographic analysis that highlighted some interesting trends:
- men were significantly more likely than women to engage in insider activity;
- almost half the individuals involved were in the age range 31-45 years, with a decrease in involvement after 45 years;
- permanent staff committed the majority of acts, whilst contractors accounted for only 7 per cent of incidents;
- the majority of cases involved individuals who had worked for their company for less than five years;
- certain types of roles were more at risk, including customer service, finance and security;
- insiders were active for less than six months to over five years and were generally self-initiated rather than individuals who had deliberately sought employment to compromise their new employer;
- graduates were more likely to be involved than non-graduates.
The CPNI study also identified clear links between insider acts and organisational weaknesses in protective security, including poor management processes, auditing, security culture and pre-employment screening. It also identified five main motivations as, in decreasing occurrence:
- financial gain;
- ideology;
- desire for recognition;
- loyalty to friends, family or country;
- revenge.
A larger study has been undertaken on US insider activities by the CERT team at the Software Engineering Institute. They established the Insider Threat Center5 that has published regularly on a wide range of insider topics since 2001. A database of 700 incidents has been created from which they have identified similar types of activity to the CPNI study, suggesting insider behaviours may not be unique to the UK.
What can be done?
Defence against insiders is complex and requires a layered approach of policies, procedures and technical controls. Of particular importance is good supervision of staff, to be aware of changes in attitude or personal circumstances. Also robust governance processes to highlight potential problems early are important, particularly when there is opportunity for fraud.
Other steps than can sometimes be taken include job rotation for sensitive roles, enforcing strict need-to-know, regular security audits and separation of duties. The selection of which controls to apply should be based on a comprehensive risk assessment linked to how the organisation has chosen to undertake its business.
The CPNI has more detailed advice based on its HoMER project6 and the CERT Insider Threat Center has identified 19 best practices that can be used for further guidance7, mapping them to the controls present in ISO27001 and other information security standards.
The risk assessment and deployment of controls to mitigate the insider threat is not a one off task and requires regular review. Technology advances and service delivery changes will present increasing insider risks that may require further measures to be taken.
Current issues include:
- cloud services introduce a dependence on strangers for the protection of information assets;
- social media can identify individuals that may be susceptible to financial or coercive influence, as well as being a source of intelligence on what an organisation is planning;
- USB sticks and other memory devices can hold large numbers of documents for an employee intent on stealing data;
- BYOD policy and implementation weaknesses can increase risk from both accidental and deliberate actions;
- smartphones have the capability to record private conversations and videos, take photos of sensitive screens as well as to connect to company computer networks.
Finally, to answer the question posed in the title, employees are most definitely an asset, but one that needs to be managed properly with appropriate controls implemented to mitigate the identified risks. I believe the insider activities studied by the CPNI and Insider Threat Center do not indicate that employees should not be trusted, after all most 40-year-old male graduates working in security do not pose an insider threat.
Perhaps a more informed approach is summarised in the Russian proverb ‘Trust, but verify’.