Educating Business Leaders About Insider Threats
Malicious insiders present real risk to the business. Their inside knowledge and understanding of systems and data make them particularly dangerous, as they are hard to detect and know where the most valuable data resides. Media reports about external threats have thrust cyberattacks into the mainstream, but breaches caused by malicious insiders rarely make headlines. Because insider threats require a top-down approach, executives and boards of directors need education about the threat posed by malicious insiders and how to defend against them.
Below are his responses.
Q. Why do insiders pose a real risk to the business?
Blankenship: As we’ve seen from the many public instances of insiders disclosing sensitive government information over the past few years, insiders represent a significant risk to the business because of their knowledge of the inner workings of the organization and their access to the most sensitive and valuable information.
According to Forrester surveys, 39% of North American and European security decision-makers in 2015 listed internal incidents within the organization as one of the most common ways in which a data breach had occurred. A year later, this number has increased to 43%. Data commonly targeted includes payment card data (PCI), personal healthcare information (PHI), personally identifiable information (PII), and intellectual property (IP), as well as authentication credentials.
With breach disclosure laws and the threat of litigation, these breaches represent real financial risk. Reputational damage is another potential risk, as customers may lose confidence in a vendor that loses customer data due to insider theft or carelessness. Insiders may also access and leak financial information or planned merger and acquisition (M&A) plans that can be used to commit financial fraud.
An often overlooked yet important business risk is the loss of IP, which can hurt future revenues. IP is the lifeblood of a business, representing current investments in future revenue opportunities. Once that IP is lost, competitors may be able to beat the company to market or offer a competitive alternative that diminishes market opportunity.
It’s important that boards and management teams recognize insider threats as a risk, just as they consider cyber risk from outside the organization.
Q. How can security leaders discuss insider threats in business terms?
Blankenship: First, security leaders need to work with their counterparts within the business to understand the things that are important to them and how they measure success. Instead of talking about metrics like vulnerabilities patched, malware remediated, or alerts closed, business leaders speak in terms of revenues, profits, and costs. Make an effort to understand how your organization operates and learn what data, systems, and infrastructure are vital to success.
Having this level of understanding lets security leaders know how security enables the business, in general and in terms of insider threats. Examine how a malicious insider could hurt the business either through theft, fraud, or sabotage. Work with other business leaders to translate that impact into financial impact. Uncover things like:
- How could a malicious insider disrupt business? What is the cost of that disruption?
- What would happen if an insider leaked intellectual property? How would that affect future revenues and competitiveness?
- Could an insider affect any upcoming strategic plans like expansions, M&A activity, and stock offerings?
- What sensitive customer data does the company hold? Understand that data and calculate the potential cost of it being leaked to the outside.
- How might insiders gain access to financial data or disclosures? How might they use that to their advantage?
As business becomes increasingly digital, security leaders have a role to keep digital businesses operating safely and securely. Understanding the impact that insiders could have and communicating that risk to the business owners is an important part of securing the business.
Q. Why does an insider threat program require management engagement? Isn’t this a security function?
Blankenship: Everybody inside an organization is an insider. This includes executives, employees, contractors, and partners. Management engagement is important due to the nature of the risk that insiders pose as well as the sensitive nature of malicious insider investigations and the resulting actions.
Management should be involved in setting the policy for how malicious insider investigations are conducted as well as the action taken against insiders who are proven malicious. Policies have to be consistent, even if the accused insider is a key executive. Falsely accusing an employee or mishandling evidence during an investigation could also result in litigation or labor action. Either of these can have a widespread impact on the organization.
Insider threat programs should be managed from the top down. Multiple departments, including human resources, legal, risk, information technology, and security, may be involved in designing the program and creating policies (like an acceptable use policy). Decisions about when to investigate a potential insider should come from outside the security organization. Likewise, decisions about disciplinary action should come from the management team.
Business context is also important to the insider threat program. The security team may have limited or no visibility into some business functions and will need to engage with business owners to understand those aspects of the organization.
Q. What are the risks of taking no action?
Blankenship: Since malicious insiders represent such a high percentage of data breaches, organizations risk creating an environment where insiders believe no one is looking and their actions don’t have consequences. While no organization wants to create an atmosphere akin to “Big Brother,” where employees feel as if their every move is scrutinized, they do need to understand that they are responsible for protecting the data and systems with which they interact and their actions on company systems will be monitored. Without this understanding, insiders may see no issue with taking sensitive information and using it for their own personal gains.
For a deeper dive on how to educate business leaders about insider threats, watch our on-demand webcast featuring Forrester Senior Analyst, Joseph Blankenship.
Source: Global Business Technographics® Security Survey, 2015, Forrester Research, Inc.
 Source: Global Business Technographics® Security Survey, 2016, Forrester Research, Inc.