Torsion Information Security Blog

Exploring the business and technical implications of information security.

Who’s the Insider and why does it matter to your organisation?

Of all information security threats, the ‘insider’ security threat usually isn’t the image that people’s minds go to first.

Angry young men in darkened bedrooms, perhaps. Or offices full of reclusive geniuses, hacking away at the behest of their government, maybe.

Defining the ‘Insider’

For the purposes of this discussion, I’m going to give a definition of the term ‘insider’. I’m going to exclude administrators, who often necessarily have high privilege access to information in order to do their job. I’m also going to exclude ‘hackers’, using subversive technical means to gain access to data.

I’m talking about regular, every day staff members working in the business. And I’m talking about anyone to whom they have given or lost their access credentials.

The Nature of the Insider Security Threat

Most other information security threats stem from gaps in the IT landscape. They tend to warrant predominantly technical responses such as firewalls, DMZs, intrusion detection, etc.

The insider security threat is different. To understand the threat, is to recognise the nature of how information is created, shared, stored and moved within organisations. There are four pillars: people, information, business environment, and technology.

So when it comes to the nature of the insider threat, we can frame it using these four pillars also. Let’s list some aspects of the reality of each:

People

– Disgruntled staff
– Phishing threats and social engineering
– People constantly joining, moving, leaving
– External partners / customers / suppliers
– Poor security awareness / too busy to care
– 20% of staff willing to sell their passwords for $1000

Information

– Massive and exponentially growing volume of data
– In many different forms, including documents, emails, images, databases, printouts
– Moving independently through different lifecycle stages
– Of various sensitivities, classifications and purposes

Business Environment

– Constant business change – new customers, old partners, departments starting, offices closing, strategies and priorities shifting, organisational structures changing, mergers and acquisitions
– Working practices are increasingly flexible and collaborative
– The best intelligence about the information lies with the people in the business who are closest to the information, but IT tends to be responsible for information security
– IT tends to operate at arm’s length from the rest of the business
– Sometimes we try to bridge the gap with workflow and business processes, with varying success

Technology

– Information scattered across multiple platforms of varying maturity and capability
– The rise of the cloud – bringing powerful capabilities more cheaply, but also downsizing of IT teams, skills and budgets
– The rise of mobile devices and workforces – everything is available everywhere, anytime
– Many security solutions and vendors competing for market share

As with any risk, the insider threat can be stated as the likelihood of an incident, crossed with the potential severity of an incident.

So, any effective solution for minimising insider security threat needs to sit at the junction of all four areas at once, reducing the likelihood and severity of any incident.

Solutions which focus too narrowly on only one or two of these areas are only ever going to have limited overall effectiveness.

Relevant Technologies

There are a wide variety of technology types which are relevant to insider security. Choosing which technologies are right for your business must begin from an analysis of your own specific circumstances, risks and priorities.

Following is a list of some of the relevant technology types. This is certainly not an exhaustive list, but should cover the main areas of interest to most organisations.

  • Access Management – controlling and reporting on who has access to what, and how that changes over time
  • Data Loss Prevention – detecting, alerting and preventing documents and other forms of information containing sensitive details (such as credit card numbers, DOBs, social security numbers, etc.) when moving across boundaries or between people in violation of business rules
  • Behavioural Analytics – monitoring people’s interactions with systems and information, detecting, alerting and preventing anomalous behaviour. e.g., if a user tries to download an entire document library when they’ve not actually been involved with the information, might trigger an alert for an administrator to investigate
  • Data Classification – classifying information by some combination of criteria, such as sensitivity, audience or purpose, and then using those classifications to drive security behaviours in both people and technology
  • Rights Management – extending and enforcing rights to interact with information in different ways, including when the information has left its host system. e.g. a person may only open a particular document if they have rights to, even after that document was emailed to them outside the network

Other technologies such as authentication, identity management, lockboxes, CASBs, encryption, firewalls, and intrusion detection are also relevant in a general sense, but are more foundational and technical than this discussion is intended to cover.

The Insider Threat today

Internal security breaches are the costliest form of information security incident. It is the incidents caused by regular, every day staff members, acting maliciously, accidentally or obliviously to the damage they could cause by their actions, or lack thereof. Causing or enabling the leak of information to people outside the organisation, or to others inside the organisation who shouldn’t have it.

A recent survey found that security incidents caused by malicious insiders cost companies an average of over $144,000 each year. Another survey found that every company experiences an average of six breaches like this in 2015 alone, and 75% of organisations experienced at least one.

Forthcoming regulations from the EU are set to apply extremely harsh punitive fines to any company responsible for information containing details of its citizens, which leaks to the public, no matter the cause. Staff member accidentally share a spreadsheet containing customer names and addresses? The fine could exceed €20 million. The regulators – they’re not messing around.

This, now, qualifies as a severe, even existential risk to companies everywhere.