Imagine “securing” your company only to discover an employee took your crown jewels to a competitor. Millions of dollars in R&D lost, your reputation tarnished, and business goodwill suffers. Unfortunately, this is not an uncommon occurrence and one that occurs despite the billions of dollars spent on traditional security.
So why do these types of compromises continue to occur?
Misplaced Threat Focus & False Assumption
Traditional security focuses on external threats, yet many breaches succeed simply by exploiting basic security laws (unpatched software, factory server password settings, etc.) and the social engineering of insiders. Moreover, a significant amount of breaches is intentionally facilitated by trusted insiders themselves. So focusing only on the outside hacker misses the mark because insiders, through poor security practices, negligence, or intentional misconduct, are the weak link in the cyber security chain. In addition, traditional security falsely assumes insider threats cannot be prevented. Most controls and resources are dedicated to detecting network threats only, which loses sight of the real problem – insider threats. As a result, the cycle of compromises and breaches continues.
Focus on Insider Threats
- More than 2/3 of all security events are caused by insiders. Verizon DBIR (2016)
- Employees are the most cited culprits of security incidents. PWC Global State of Information Security Survey (2015)
- The great majority of intellectual property theft is committed by insiders. United States IP Comm. Report on Theft of American IP (2013)
Risk is Largely Misunderstood
Traditional security risk management views risk in several ill-defined ways. The first is that risk equals threat. The second is that risk equals vulnerability. A third position defines risk as threat plus vulnerability. The problem with all three is they fail to properly combine the three essential components of risk – impact, threat, and vulnerability.
Properly Define Risk
True risk is the likelihood that a given asset can be compromised by an identified threat via a current vulnerability. The asset is the key component of risk since it is the particular asset whose compromise could have deleterious effects on your business. Stated another way, without a defined impact to an asset, there is no risk. Similarly, if there is no threat or vulnerability, there is also no risk to an asset. It is the combination of all three that define and capture the true risk posed to an asset.
Traditional Assessments – Wrong Questions & Wrong Problem
Traditionally, security managers have relied on NIST, COBIT, and ISOO frameworks for measuring “risk.” However, these frameworks only provide a way to assess network centric organizational risk, not insider risk. They are vulnerability models and do little to inform an organization about specific asset risks. Thus, a security manager seeking to protect critical assets will be left with many unanswered questions.
Apply an Asset-Focused Insider Risk Model
Effective security requires an effective security risk model that assesses and manages risk by focusing on insiders’ interaction with critical assets. All threats are not equal, nor are all vulnerabilities and assets. Effective risk management requires risk prioritization. First, assets must be properly identified and impacts determined. Second, specific threats and vulnerabilities related to each asset must be identified. Third, risks to each asset must be properly measured (Risk = Impact [Threat * Vulnerability]). Lastly, mitigation strategies are developed. Through this method, an organization can more effectively apply security measures in the most efficient and cost-effective manner leading to an enhanced security risk posture.
Shawn M. Thompson is the Founder & President of Insider Threat Management Group (ITMG). For more information, visit their website.