Today, are Boards concerned about the risk from Insiders to their business due to cyber-attack? Boards often ignore the risk due enterprise’s own employees. Who are these troublesome employees? Cyber insiders come from any part of the business. Recent study indicate 36 per cent of the worst security breaches are caused by unintentional human error and 10% are intentional misuse of systems by own employee. This is not a trivial problem. Insider risk is not a risk that can be outsourced or cannot be solved only by technical solutions.
The Cyber Insiders are of three types:
- Non-malicious and unintentional: Probably here, unsuitable people were recruited or they were not trained adequately, or managerial oversight isn’t working well. Don’t blame the people here.
- Non-malicious and intentional: They are harder to deal probably due to business process and culture in the enterprise fails to unite them with the cyber risk. More often these employees’ judgements turn out to be flawed. Once again, don’t blame such people. It’s the culture of enterprises that needs the change.
- Malicious and intentional: They cause the most serious harm, especially with the enormous power of cyber technology. Often there is a clear link between an insider act taking place and exploitable weaknesses in an employer’s protective security and management process.
The 10 Steps to Cyber Insider protection are:
- Governance: Recognize the ownership and accountability for different people risk. There should be a single board level owner of all aspects of people risk in the enterprise.
- Roles & Responsibilities: Have a single point of ownership for people risk on the board for managing people risk top down with measures and procedures understood by all.
- Assets: Understands enterprise’s critical assets and their vulnerabilities. Recognize and review the process in place to constantly update the list of critical assets.
- Manage Risk: Have a full review of insider risk regularly. Sight insider risk on the risk register including those who constitute the highest level of risk and on the mitigating actions in place to manage those insider risk.
- Culture: The board involvement for a security culture within the enterprise is essential and an appropriate plan should be in place to move towards achieving it. Monitor it.
- Impact: The board should understands the impact that an insider incident can have on the enterprise and on the board itself.
- Response: The enterprise should have a readiness to respond to an insider event to minimize harm and to maximize possibility of attribution.
- Transparency and awareness: All measures, policies and procedures including employee monitoring including surveillance, whistleblowing, should be transparent, compliant with legal and regulatory frameworks and understood by the employees. Employees should be made aware of the potential penalties of engaging in an insider act.
- Supply chain: Clearly understand Risk cannot be outsourced. The board level owner of people risk should ensure that all aspects of people risk mitigation and asset management should include the supply chain, are audited and performance managed.
- Audit: An audit committee should review the overall management of insider threat on periodic basis (prefer annually) with particular emphasis on ensuring the risks and assets are reviewed, policies and procedures are working well, integrated, and compliant with regulatory frameworks.
High performing enterprises should have an effective and visible people risk reduction program, with a single point of ownership and accountability at the board level. We have to understand that a damaging insider is difficult to exclude. Our plan should be to minimize harm, protect assets, reputation, detect and prosecute such insiders.
This article is based on discussions between Chris Hurran and Kinshuk De at Cranfield University on 05th March 2015 (Hurran, 2015).