Organizations maintain all types of valuable data, and its most sensitive data is very attractive to adversaries and criminals who might seize an opportunity to access it and use it for purposes other than the purpose for which it was intended. The very serious threat of an insider stealing an organization’s data was most recently demonstrated in April 2023 when the Department of Justice shared that Jack Teixeira, a member of the United States (U.S.) Air Force National Guard, was recently arrested in connection with an investigation into alleged unauthorized removal, retention, and transmission of classified national defense information.
As insider threats continue to surge, organizations want to understand their best options for keeping up with this type of threat. In this article, I will discuss what an insider threat is, why an insider threat program is necessary, and in some instances required, and what is required for a strong insider threat program.
What Is an Insider Threat?
An insider threat is not new. Anyone can be a threat and it’s possible for this type of threat to go undetected for years. Literally. Consider Ana Montes, a former Department of Intelligence Agency (DIA) employee who was eventually sentenced to 25 years for operating as a Cuban spy. While she began her career at DIA in 1985, she wasn’t arrested for releasing national defense information to Cuba until 2001. Several other individuals have provided the security community with valuable insider threat lessons since the early 2000s through similar activities (e.g., releasing national security information). We’ve learned about their motivations and how their actions have impacted security programs and prompted the need for insider threat programs.
The National Institute of Standards and Technology (NIST) describes an insider threat as one that involves an individual using his or her authorized access, wittingly or unwittingly, to do harm to an organizations operations and assets, individuals, or other organizations. Individuals may use their authorized access to access and release classified information or controlled unclassified information (CUI), in the case of those who have access U.S. federal information systems, or intellectual property or sensitive personally identifiable information maintained by private sector companies.
Insider threats come in many forms, so organizations should continuously monitor their workforce to detect individuals who may be under higher than normal amounts of stress in their personal lives, especially financial stress, misconduct and overall employee work satisfaction. Disgruntled employees pose a unique threat to an organization because they are seen as easy targets. Criminals actively recruit disgruntled employees to steel intellectual property and proprietary information.
Insider Threat Programs
According to the 2022 Cost of Insider Threats Global Report by Ponemon, insider threats have increased in both frequency and cost in the two years prior to the publication of the report. Insider-related incidents included employee negligence (56%), criminal activity (26%) and user credential theft (18%).
Organizations that have strong insider threat programs are better prepared to understand the various types of threats, as well as the potential damage that might be caused. An insider threat program should be sufficiently tailored to meet the needs of the organization and the industry in which they operate.
Challenges to Mitigating Insider Threats
Preventing insider threats is a full-time job that requires resources. Detecting behavior that may be an indicator of an insider-related incident, as well as when sensitive data leaves the organization, requires both manpower and technology. If an organization lacks the ability to provide insider awareness and training to their employees, as well as invest in the necessary technology, such as data loss prevention and user and entity behavior analytics tools, it will be difficult to mitigate insider threats.
Lack of Resources and Support
The lack of resources required to mitigate insider threats can be discouraging for operational teams. Equally discouraging in some instances is the lack of leadership support, until of course, a disgruntled employee steals proprietary data. As organizations begin to either design and create an insider threat program or strengthen an existing program, it will be important to develop strategy to gain key stakeholder buy-in.
A Strong Insider Threat Program
The approach to developing an insider threat program should be thoughtfully planned, with consideration given to the data assets maintained by the organization, the applicable laws and regulations, as well as key stakeholders.
Here are four steps any organization with employees can take to bolster their insider threat program today:
- Find the correct data loss prevention software for your organization
- Develop and implement a comprehensive awareness and training that will help employees recognize and report an insider threat
- Employ the principle of least privilege for users and devices; log and analyze the execution of privileged functions to help mitigate the risk from insider threats
- Develop an incident plan specifically for insider-related incidents to ensure appropriate and timely response
Many insider threats can be mitigated through security best practices, tailored security controls and a strong insider threat program. While the newsworthy stories about people like Ana Montes and Jack Teixeira are possible, the data shows that more often than not, the insider threat will be related to employee negligence, and not malicious intent. Whether you are leading a large organization or the owner of a small business, protecting against these threats are important for the overall success of the business, so you should prepare for all possible scenarios.
Want More Tech News? Subscribe to ComputingEdge Newsletter Today!
About the Author
Ambler is an attorney with an extensive background in corporate governance, regulatory compliance, and privacy law. She currently consults on governance, risk and compliance, enterprise data management, and data privacy and security matters in Washington, DC. She also writes with Bora Design about today’s most important cybersecurity and regulatory compliance issues.
Disclaimer: The author is completely responsible for the content of this article. The opinions expressed are their own and do not represent IEEE’s position nor that of the Computer Society nor its Leadership.