Endpoint

12/7/2018
10:30 AM
Richard Ford
Richard Ford
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

Insider Threats & Insider Objections

The 'tyranny of the urgent' and three other reasons why it's hard for CISOs to establish a robust insider threat prevention program.

There’s no shortage of good coverage in the media on the important topic of insider threats.  Yet despite the headlines, according to a 2018 report by CA , only 36% of companies surveyed say they had what they considered a mature insider threat program in place. So where is the disconnect? Based on my own experience and that of my CISO friends and colleagues, there are several factors that blunt attempts at establishing a robust insider threat program, among them: long “to do” lists, optics, privacy, mindshare and culture.

The never-ending "to do" list. If it’s not multifactor authentication (MFA), it’s endpoint detection and response (EDR). If it’s not EDR, it’s identity and access management (IAM). If it’s not IAM, it’s BYOD. You get the idea – every new threat (or acronym!) requires a custom-tailored solution, and the list of things to address keeps growing. Thus, CISOs, often caught by the tyranny of the urgent, are forced to make mindful but difficult tradeoffs regarding priorities. In that calculation, insider threat often doesn’t make the cut.

The problem of optics. Maybe you’ve taken a long look at your business and decided that the lack of an insider threat program is significant enough that you should address it. Good for you. Now you’ve got to get past the set of objections I file under the broad heading of "optics." Insider threat just sounds negative. For what it’s worth, I absolutely hate the name because it conjures up visions of shady characters skulking around the water cooler planning dark deeds, and that’s absolutely not how we want to view our coworkers.

While there are plenty of documented examples of employees "going to the dark side," the most effective insider threat programs are focused on protecting employees from themselves, each other, and attackers. The intent of the program is almost wholly positive … but the name is most definitely a negative.

It’s made worse by cultural issues. While I wish it were otherwise, it’s also best to admit that there are a lot of different relationships and dynamics that exist between employee and employer. Trust can be an issue, and in many companies, there exists a distinct sense of "them" and "us" that separates executive management from the workforce – something that acts to the detriment of trust. On top of that, you may have additional challenges from diverse cultural norms if you are a global company operating in different parts of the world. What’s okay in America may be anathema in Zimbabwe, and vice versa, ranging from muddled privacy regulations and employment laws to multi-department, multi-national tensions. Do you really want to jump into that?

The employee privacy issues. Users have legitimate concerns about how much they reveal of themselves to their employers. Not only are there ethical questions, but there are a mish-mash of laws that dictate what a company can and cannot do with respect to employee privacy. This becomes a really tough issue for CISOs.

Mindshare – or making the boss happy. The job of the CISO is not as simple as just protecting the company; it’s about making the boss happy – and that boss is ultimately the CEO or the board of directors. If the risks posed by insiders aren’t part of his or her mindshare, insider threat programs won’t look like a good investment. You can do some work to educate, but too often we find that we are faced with people whose minds are already made up.

Those are the objections. It’s your job to figure how to overcome them. But here are two suggestions:  

First, be clear about the facts that justify the cost of an insider threat. The news is full of stories that chill to the bone with respect to misbehaving insiders. No company can afford to ignore these real-world incidents, and you can make the case about the damage they cause with hard numbers.

Second, take the optics issue head on. Start by having a real dialogue within the company about how programs like this are a force for good not evil. But make sure that your actions match your words. For example, a well-implemented program doesn’t actually have a negative impact on privacy. It’s all a matter of how you structure it. Yes, there is more up-front work required to do it right. But by putting in the effort, you can also make adoption of the program a way to meaningfully increase employee privacy as well as safety and security.

Related Content:

Dr. Richard Ford is the chief scientist for Forcepoint, overseeing technical direction and innovation throughout the business. He brings over 25 years' experience in computer security, with knowledge in both offensive and defensive technology solutions. During his career, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
'PowerSnitch' Hacks Androids via Power Banks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/8/2018
6 CISO Resolutions for 2019
Ericka Chickowski, Contributing Writer, Dark Reading,  12/10/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: When Harry Met Sally
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-7690
PUBLISHED: 2018-12-13
A potential Remote Unauthorized Access in Micro Focus Fortify Software Security Center (SSC), versions 17.10, 17.20, 18.10 this exploitation could allow Remote Unauthorized Access
CVE-2018-7691
PUBLISHED: 2018-12-13
A potential Remote Unauthorized Access in Micro Focus Fortify Software Security Center (SSC), versions 17.10, 17.20, 18.10 this exploitation could allow Remote Unauthorized Access
CVE-2018-8033
PUBLISHED: 2018-12-13
The OFBiz HTTP engine (org.apache.ofbiz.service.engine.HttpEngine.java) handles requests for HTTP services via the /webtools/control/httpService endpoint. Both POST and GET requests to the httpService endpoint may contain three parameters: serviceName, serviceMode, and serviceContext. The exploitati...
CVE-2018-20127
PUBLISHED: 2018-12-13
An issue was discovered in zzzphp cms 1.5.8. del_file in /admin/save.php allows remote attackers to delete arbitrary files via a mixed-case extension and an extra '.' character, because (for example) "php" is blocked but path=F:/1.phP. succeeds.
CVE-2018-20128
PUBLISHED: 2018-12-13
An issue was discovered in UsualToolCMS v8.0. cmsadmin\a_sqlback.php allows remote attackers to delete arbitrary files via a backname[] directory-traversal pathname followed by a crafted substring.