[BreachExchange] Companies Must Invest in More Robust Insider Threat Programs

[Audrey McNeil]

https://www.thecipherbrief.com/column_article/companies-
must-invest-robust-insider-threat-programs

The most infamous spies, moles, and saboteurs have come from intelligence
and military organizations.  However, recent allegations made against an
employee by Tesla CEO Elon Musk, serve as a stark reminder that private
companies also find themselves vulnerable to potential malicious insiders
capable of  causing millions of dollars in damage by stealing intellectual
property, damaging facilities or leaking information that can embarrass the
organization.

Many private companies that do classified work for government agencies have
developed comprehensive programs to identify and mitigate insider threats
due to changes in regulations governing such sensitive work.  Beyond these
firms, however, corporate leaders face a balancing act of security and risk
as they determine the right balance of resources to devote to protect
themselves, their customers, and their shareholders.

In public comments and internal communications over the past week, Musk
alleged that at least one Tesla employee had stolen company secrets, and
shared that information with third parties.  The company filed a lawsuit
against the employee, who says he is the victim of backlash and calling
himself a whistleblower – on June 20 for stealing confidential data and
hacking manufacturing operating systems.  Three days earlier, in an email
sent to all Tesla employees, Musk asserted that a disgruntled employee who
had not received a promotion engaged in “extensive and damaging sabotage”
by modifying critical computer code and sending sensitive proprietary
information to outsiders.  Hours later, Musk sent another all-hands email
about a fire on a production line.  Calling it “another strange incident
that was hard to explain,” Musk asked employees to be alert to suspicious
activities, writing, “only the paranoid survive.”

Paranoia, unfortunately, is not a particularly effective strategy for
identifying malicious insiders – particularly given the Ponemon Institute
finding that 59 percent of departing employees take company data with them
when leaving their employers and that 24 percent had access to their
employers’ computer systems after quitting.  While most companies, like
Tesla, do have robust security practices, the Tesla incident serves as a
strong reminder that executives need to take a strategic, long-term
approach to corporate security that includes protecting against
cyberattack, physical attacks, and insider threats.

Corporate leaders’ focus on reducing short-term overhead costs make them
reluctant to invest in insider security programs whose return on investment
– the prevention of damage – is difficult to calculate.  But an insider
threat program must be seen as a long-term investment in protecting company
assets. Just as an insurance policy hedges against the risk of incurring
far larger costs, insider threat programs are a bargain compared to the
damage that a disgruntled or careless employee could cause to a company’s
reputation or bottom line.

Organizations’ greatest insider threat concerns include preventing theft of
data or intellectual property, fraud, information technology (IT) sabotage
and workplace violence – any of which can cause incalculable damage to a
company’s brand, R&D investments, and future revenues.  Common pitfalls
include addressing such threats in organizational stovepipes – such as
facility security, cybersecurity, or human resources – or by focusing on a
purely technical fix without considering people-centric solutions.  But by
taking a cross-departmental approach and integrating insider threat
programs into the fabric of the company, organizations can maintain their
competitive edge and address common concerns from all areas of the business.

Effective insider threat programs examine multiple facets of employee
conduct, such as network use, performance, and policy compliance.
Managers, working with human resources staff, could flag employees who
demonstrate troubling workplace behavior or a failure to follow company
policies. Data monitoring tools can establish baseline network behavior
patterns for each employee, and security staff with effective monitoring
and data analytics tools could flag anomalous conduct or detect atypical
amounts of data flowing out of the company’s networks from a particular
user. Company-wide efforts raise the likelihood that malicious activity
could be identified before an employee sabotages a project or walks out the
door with valuable corporate secrets.

Employees under significant stress have the potential to cause physical
harm as well as damage to networks or intellectual property.  Workplace
violence – another form of insider threat – not only presents a serious
safety risk, but negatively affects employee morale and performance, erodes
public confidence, and potentially leads to costly litigation.  It is
highly unusual for employees to “crack” suddenly; typically, research
shows, they exhibit a series of behaviors over time.  These patterns can be
identified through a strong insider threat program, as they are observable
in the employee’s network usage, as well as by co-workers and supervisors
who have been trained to identify signs of concerning conduct.

Although many companies will seek to terminate an employee engaging in
concerning behaviors, other options exist for managing at-risk employees
who are identified early through continuous evaluation and co-worker
input.  For example, a firm can offer counseling resources or move the
staff member to a less stressful position that does not involve access to
sensitive information.  An insider threat program can thus assist troubled
employees while protecting the company’s people, facilities, and
information.

Protecting a company’s assets from malicious insiders requires the
detection of precursor activities – small transgressions that raise red
flags – that manifest themselves before damage occurs. Identifying such
signposts requires input from stakeholders throughout the company,
including IT, human resources, security and individual employees.

Paranoia about spies and saboteurs will not defend a company from harm.  A
comprehensive insider threat program is critical to protecting a
corporation’s people, facilities, networks, and ideas.  Any company
operating without an insider threat program is inviting disaster.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180626/c8a131cc/attachment.html>