Strategically Building An Effective Insider Risk Program
High value cybersecurity targets come in many forms, but with the increasing momentum of geopolitical tensions and social unrest, regulated industries and critical infrastructure have moved to the top of target lists. For example, in 2024 so far, there were 1,162 documented cyberattacks, compared to just 689 in 2023[1]. This represents a 70% increase of known threats in U.S. utilities year over year. The goal of securing today’s critical infrastructure should be to remain resilient in the face of an evolving, increasingly sophisticated threat landscape to protect our modern way of life.
The Nation State threat actors that regulated industries face are highly determined, patient, and adaptive. As regulated industries continue to comply with increasing cybersecurity requirements and mature their defenses against remote access threat vectors, these advanced cyber actors may return to the pre-internet period with a focus on close-access operations, such as penetrating rogue cellular access points, inserting compromised USB drives, and even co-opting employees. In 2023, for example, there was a significant rise in malware distributed through USB drives such as the Sogu and Snowydrive [2] malware campaigns. Attributed to advanced threat actors including Chinese espionage groups, these attacks targeted sectors including energy, oil, and gas. This renewed focus on close-access attacks will most certainly result in increasingly targeting internal company personnel to assist in achieving their objectives through the use of social engineering.
Nearly every one of our 16 critical infrastructure sectors is highly regulated, and for good reason.
Critical infrastructure encompasses assets, systems, people, and networks - both physical and virtual - that are vital to the proper functioning of our Nation’s economy, national public health or safety, security, or any combination of these factors. In most cases, it is much easier for an insider to not only carry out a successful objective, but to also cause significant impact to the organization. In some cases, successful malicious insiders can cause critical operations to grind to a halt, which can cause disruptions in service and lead to significant downstream impacts.
From energy production, to manufacturing lines, to pharmaceutical production – shortages in critical goods such as medicines, transportation, and energy production pose a serious threat to our way of life. More sinister, malicious threat examples of tangible physical harm can include employees being injured, or even killed, as the result.
Insider Risk Programs are a vital component of a mature safety, physical security and cybersecurity program within critical businesses. Designing and implementing successful Insider Risk Programs requires a thoughtful approach and careful consideration of effective threat mitigation strategies while protecting the workforce from harm.
Insider Risk Programs are no longer a nice to have, they are a must have.
Getting Started & Key Focus Areas
Keeping people, information, IT infrastructure and operational facilities safe – both in the physical and the cyber realms – is critical to building a resilient organization that can stand the test of sophisticated attacks, ransomware, social engineering and Advanced Persistent Threats (APTs). APTs are typically long-term threats that gain access and remain dormant in networks and systems for months, sometimes years, before they carry out the intended compromise.
These patient and persistent threats must be met with near perfect defenses if critical infrastructure organizations stand a chance. Insider Risk reduction programs should be viewed as an investment rather than an expense, which is usually a hard sell when the cost to implement is an operational expense. Achieving organizational and executive buy-in is a crucial first step, and both understanding and quantifying what risks should be focused on and mitigated, as well as ensuring alignment with the corporate-wide risk register, is key to gaining that buy-in.
Being able to assign a dollar value to impacts discovered during tabletop scenarios – like cost per million of PII records stolen, cost per hour of operational downtime, cost of destruction of tier one and tier two assets, or cost of workforce violence – is a good way to get an executive’s attention. Certain scenarios, like theft of IP, may be harder to quantify. In cases like this, it’s important to show how corporate IP is irreplaceable and its theft can produce years, sometimes even decades, of negative consequences. In some cases, it’s enough to jeopardize the entire business.
Reviewing the corporate Risk Register and 10k filings, if available, can help to align the value of the program in direct support of the company’s most significant risks, and highlight the potential impacts of inaction. Program managers should make themselves familiar with these types of reports and leverage the insights from them to make their case. Building support across the Board of Directors and the entire C-Suite, not just the technical or security-minded leaders, is critical to avoid it being seen as just another business expense. Documenting the goals and objectives up front, establishing clear roles and responsibilities, and gaining stakeholder buy-in are key to building the foundation of a successful program.
For more details on “How to Convince the Business to Act" on implementing an Insider Risk Program, Read The Whitepaper. (opens a new window)
Insider Risk Programs are one piece of the larger cybersecurity puzzle. When standing up a new program, no matter where in the company the function is aligned, it’s important to ensure that the cyber team takes into consideration their role during a mitigation or remediation event and updates the Cyber Incident Response Plan appropriately. It’s also important to ensure there are clear lines of communication in order to support all levels of the organization, regardless of who is in charge.
Another key focus area that is part of the program stand-up is establishing an Insider Risk Oversight Committee, and it is important to make sure that it includes responsible parties with clearly defined roles and responsibilities. These include establishing criteria for triggering elevated risk scores, determining and modifying what behaviors are considered risky, and continuously feeding learnings back into the program in order to evolve it into what the organization deems effective, accurate, and fair. Once implemented and the program is fully operational, Insider Risk Programs – in addition to the monthly/quarter Oversight Committee meetings - should regularly work with and consult their internal legal counsel to keep them apprised of any current investigations or new personnel of interest.
When choosing partners for your Insider Risk Program, look for those who go beyond the software to help you with organizational challenges as well. They will have gained wisdom from their experiences helping other organizations develop their programs.
When it comes to building Insider Risk Programs, purpose-built technology and mission experienced teams are a necessary component. Look for solutions that have built in checks and balances to prevent abuse of power and authority. Asking questions like “are these logs immutable?” and “does this type of evidence hold up in a court of law?” can help your organization understand exactly what they’re purchasing and how effective the tool can be in legal proceedings.
Building a responsible Insider Risk Program is paramount to keeping people, information, and facilities, safe. Understanding organizational risk, gaining leadership buy-in, establishing an Insider Risk Committee, and thoughtfully engaging mission partners requires a lot of work upfront, but over the long term, the organization will build a superior security posture and be able to more efficiently mitigate risks that come from inside the organization.
DETER.
When it comes to protecting your workforce and company from internal risks, deterrence is always preferential to detection and mitigation of an event. Taking a measured, proactive approach to employee training and awareness, clearly defining reporting processes and procedures, and designing programs to set a high standard of organizational justice will bolster organizational defenses and help to deter risks from evolving into threats.
Awareness training of the workforce is important not just so that individuals understand the expectations of their behavior, but also so that they know how to recognize and report potential risk indicators through proper channels. Easy avenues for reporting, like anonymous employee tip lines, can help to provide a safe way for employees to speak up without fear of retaliation. In addition, Town Halls and company-wide events that help to reinforce the messaging given in the trainings can help to build comradery and make the training feel more real than watching a pre-recorded video alone. “Thinking like meerkats” – where everyone looks out for each other and for the good of the group – is significantly more impactful than an organization where every employee only watches out for themselves. However, it is also critically important to ensure that all messaging is consistent and aligned with your company culture and risk appetite.
Therefore, employee awareness and education should be discussed and approved by the Insider Risk Committee. Too much or too little can lead to vastly different outcomes.
Historically, Insider Risk Programs have had a negative connotation among the workforce. While a positive perception isn’t necessary to run an effective Insider Risk program, it helps to have buy-in from employees by explaining how Insider Risk programs help protect them in the workplace. Organizational culture, a feeling of belonging, and a sense of purpose are what retain employees.
While not every organization is held to the same standard of preserving civil liberties as government agencies may be, the concept of organizational justice is important to convey and uphold across the workforce. Organizational justice is the perception employees have about fairness in the workplace, especially when it comes to accusations of wrongdoing and disciplinary actions. If Insider Risk Programs are perceived to be biased, unfair, or unjust, they can lead to workplace disgruntlement and high attrition rates.
Deterring risks from evolving into threats is the cornerstone of every effective Insider Risk Program. However, deterrence, no matter how well-designed, provides no guarantee that threats will not arise despite best efforts.
DETECT.
Insiders pose many levels of Potential Risk to any organization – from unintentional disclosure to purposeful data exfiltration, to espionage and sabotage, and in the most extreme cases, workplace harm or violence. While software systems and tools are only one part of an effective Insider Risk program, they can provide the critical context needed to not only detect, but to help uncover the “why” behind the “what”.
Potential Risk Indicators (PRIs) of insiders include unawareness, complacency, and malice:
- Unawareness can include risk indicators such as unknowingly going against or around security policies, misuse of organizational technology, discussing sensitive information in unsecured locations, and accidentally clicking on a phishing link.
- Complacency risk indicators can include using personal storage or devices for official purposes, uploading documents to unapproved places, and allowing unauthorized individuals access to physical spaces such as office buildings, facilities, or data centers.
- Malice risk indicators can include stealing sensitive information for personal gain, attempting to access and exploit information not relevant to a person’s role, threatening or coercing co-workers, or bringing weapons into the workplace.
It is important to emphasize that exhibiting PRIs doesn’t necessarily mean someone is a risk, but in most cases, real insider risks do exhibit one or more PRIs.
Ongoing monitoring and management are necessary for the safety of the workplace and the integrity of the organization. Of course, all monitoring should respect personal privacy and uphold civil liberties, prioritizing only what have been determined as high-risk behaviors in the context of multiple sources of intelligence and multiple points of view.
Securing the trustworthiness of your workforce should always be the mindset that Insider Risk Programs take on. The goal should be to protect the innocent just as much as it is to catch and prosecute the guilty. It is critical to take a close look at all of the evidence collected and come to a conclusion that meets a high bar of proof. Even one incident where an innocent is falsely accused and reprimanded can completely erode the trust of your entire workforce, which can lead to disgruntlement, attrition, and in the worst cases, increased insider risk.
MITIGATE.
Oftentimes, organizations detect breaches, data exfiltration, and unauthorized disclosure when it’s already too late. The damage can be catastrophic. Effective Insider Risk Programs seek to first deter, then detect, and when required, mitigate as quickly as possible, when there has been a determination that an unacceptable risk to the organization has been detected. Mitigation is about reducing the potential impact before or during an attack while response activities are about managing and containing the attack once it happens.
Mitigations are actions an organization can take to reduce risk to the organization. These actions - to be effective - need to be informed by the risk you are seeking to mitigate. Simply, your mitigation should be focused on the risk surface. For insider risks, we focus on the people, employees, contractors and supply chain that all can introduce physical, cyber, or other destructive behaviors into the work environment.
Mitigation starts as early as the onboarding process and messaging must be persistent and consistent across the organization. Mitigation can take different forms with a primary outcome to encourage people to engage early and often. When unwanted behavior manifests into a high-risk incident, collaboration between cross-functional teams is paramount. In order to move swiftly, responsibly, and effectively, security and IT teams should work closely with leadership, HR, legal, and operations teams to decide on mitigation actions and follow the pre-determined procedure outlined by the Cyber Incident Response Plan. Effective teams have regularly practiced tabletop scenarios so that when the moment matters, actions are accurate and timely.
Mitigation is a journey that requires a blend of people, processes, and technologies to be successful. Recognizing these key components provides the foundation for any successful program. Mitigating and responding as quickly, effectively and efficiently as possible results in decreased damage, minimal diminished reputation, and less cost impact which will help maintain shareholder value and may even decrease safety and cybersecurity insurance policy costs.
Conclusion
Strategically designing and building effective Insider Risk Programs is no easy task, and it cannot be accomplished alone.
It requires organizational and leadership buy-in, workforce training, careful planning, and effective cross-functional collaboration. It requires closely partnering with an experienced, trusted vendor to help you tackle the challenges and ensure the successful implementation of your program. It requires you to understand the evolving threat landscape and communicate the impact in terms of risk to your company.
As the tactics, techniques and procedures external threats use to become a trusted “inside” persona continue to evolve (such as the use of Artificial Intelligence), cyber defenses will most certainly be stressed to defend against all attempts. And as insider risks become more commonplace due to disgruntled or disillusioned employees, or negligent behavior, every regulated critical infrastructure organization should put into motion a plan to quickly implement a new Insider Risk program to protect their organization. Sophisticated threat actors are certainly moving back towards close access and physical proximity to carry out their attacks, and the proven, effective solution to deter, detect and respond is an effective Insider Risk Program. The “Call To Action” exists: don’t wait until it’s too late.
About Everfox
Everfox has been defending the world’s most critical data and networks against the most complex cyber threats imaginable for more than 25 years. As trailblazers in defense-grade, high assurance cybersecurity, Everfox has led the way in delivering and developing innovative cybersecurity technology. Headquartered in Herndon, VA, Everfox’s suite of Cross Domain, Threat Protection and Insider Risk Solutions empower governments and enterprise organizations to use data safely - wherever and however their people need it.
Ready to start planning your next move with one of our Insider Risk specialists? Get in Touch Today.
References
[1] Reuters - Cyber Attacks on US utilities surged 70% this year, says Check Point. (opens a new window)
[2] Dark Reading - Sogu, SnowyDrive Malware Spreads, USB-Based Cyberattacks Surge (opens a new window).
Dennis Gilbert
CEO, Vector9 Consultants
Dennis Gilbert is currently CEO of Vector9 Consultants. He was most recently Vice President and Chief Information Security Officer at Duke Energy Corporation and worked with Exelon from 2014 – 2018 as Vice President and Chief Information Security Officer. Mr. Gilbert served as the Senior Advisor for Cybersecurity for the Department of Defense Chief Information Officer (DoD CIO).
Previous to his return to federal service, Mr. Gilbert was a Principal with Booz Allen Hamilton where he was responsible for leading a 185-person team delivering a complete suite of cybersecurity solutions to clients. In 2005, Mr. Gilbert retired from the U.S. Air Force. During his years of service, he held key leadership positions in many national-priority programs involving cyberspace operations, information warfare, satellite communications, counterspace operations, and electronic warfare.
Hear from Dennis about why he chose Everfox. (opens a new window)