Apply Critical Thinking And Culture To Reduce Insider Risk
Security pros have recognized National Insider Threat Awareness Month (NITAM) each September for the past four years. This year’s NITAM theme is “Critical Thinking in Digital Spaces.” In his endorsement letter, DCSA Director William K. Leitzau stated:
Critical thinking in a digital society is a skill that all security professionals must develop, especially as we become more reliant on technology. A key component of insider threat prevention is to develop increased awareness and understanding of hidden dangers. Critical thinking helps individuals become more attuned and less susceptible to such dangers, including social engineering, solicitation by adversaries (foreign and domestic), and harmful information.
The emphasis on critical thinking as a necessary factor in addition to technology demonstrates that insider threat is fundamentally a human problem, not simply a technology problem.
Forrester survey data indicates that 26% of data breaches are caused by internal incidents.
We won’t solve insider threat solely by applying technology solutions. Instead, we must go a step further and engage and influence stakeholders at all levels of the organization to build that critical thinking, change behavior, and instill security into the culture. Awareness alone is not enough.
Use Critical Thinking As A Human Security Control
The three broad types of insider threat are:
- Accidental or careless misuse — insiders who break policy without malicious intent
- Malicious insiders — insiders who intentionally misuse or abuse data and systems
- Compromised account — external actors who gain access to user accounts
Critical thinking can help accidental insiders be less susceptibility to tactics used for account compromise. Understanding safe data handling policies, why they’re in place, and how to recognize common attack techniques is key to preventing accidental data compromise.
Social engineering and phishing are primary causes of account compromise, with many other user behaviors that put organizations and individuals at risk. Helping users defend themselves against these can reduce the risk that external attackers can access valid user accounts.
Stopping insiders with malicious intent, however, also requires critical thinking on the part of the defenders. Security pros and stakeholders (like HR, legal, and risk) must design defenses, policies, and processes to protect against access abuse and monitor user behavior to detect malicious actions.
Insiders need to be wary of individuals approaching them to pay for their access and must use their critical thinking skills to understand that this may not just be a policy violation — it can also be illegal.
Influence Employee Experience Address Insider Risk
Insider threats are sometime born through their negative employee experience, and disgruntlement is a common motivation for users to turn malicious.
Security pros should work with business stakeholders to help them understand that unhappy users represent insider risk and influence programs to address this. Security pros can also help determine how user psychology can be used to improve the understanding and responses to various security challenges.
Organizations should also take insider risk into account when planning reorganizations or layoffs as these actions can be motivating factors for insiders.
Evolve Insider Threat To Insider Risk
Since the term “insider threat” can be seen to imply that users are, in fact, threats, some insider teams are now referring to themselves as insider risk teams instead of insider threat teams. Additionally, the compromise by an insider, whether it be malicious or accidental, creates risks for the organization beyond security and could have regulatory, revenue, and reputational consequences.
The pivot to the term “insider risk” also acknowledges the role the insider team can play to educate users and reduce the risk that insiders pose to organizations.
Learn More About Reducing Insider Risk
I’m leading a panel discussion about insider risk at Forrester’s upcoming Security & Risk event on November 8–9. My colleague, Alla Valente, and I will be joined by two outside experts for a panel discussion titled, “Insider Risk Reduction Requires Two Parts Culture, One Part Security” to discuss strategies for reducing insider risk, including the role culture plays.
Jinan Budge will also lead a track session titled, “From Compliance To Cultural Change: The Future Of Security Awareness And Training” to provide insight into how security awareness is evolving to deliver actual behavior and culture change.