Anyone who has ever played a team sport understands the importance of two key tenets when it comes to winning: practice makes perfect, and your team is only as strong as its weakest player.
The same can be said as they relate to mitigating the insider threat, one of the most pressing IT security and risk management challenges we face today.
Time and time again, we've seen attackers leverage compromise of authorized access to networks, most often granted to third-party contractors, to bypass otherwise effective security defenses. In other cases, unchecked activity on the part of those contractors with access has resulted in cataclysmic security incidents.
High-profile commercial examples of this phenomenon include the massive Target data breach, in which attackers hacked the credentials of an authorized HVAC services provider to make off with millions of customer records. In the government sector, merely citing one name — contractor Edward Snowden — conveys the risk that pertains to malicious activities of a single unmonitored actor.
According to recent research published by security vendors TrendMicro and PhishMe, as much as 90% of all successful cyber attacks leverage some form of user manipulation or phishing. This is typically carried out in the form of tricking someone to click on an infected URL link or open an attachment that carries some form of malware.
To help address the insider threat in the federal government, a recent update to the National Industrial Security Program Operating Manual, or NISPOM — which governs private industry access to classified information — finds regulators communicating to their contractor partners that when it comes to security awareness, it's time to step up.
Under the NISPOM Change 2 Insider Threat Mandate, which went into effect on May 31, federal contractors will be forced to have a much tighter game plan in place; much of this revolves around renewed focus on end-user security training. While the federal government required all cleared personnel to go through insider training in the past, NISPOM 2 dictates that each company must retrain anyone who will handle sensitive data within the next year.
I can see you rolling your eyes, but security training does have a significant impact, even for experienced practitioners. This is where "practice makes perfect" comes in.
According to CyberSecurity Ventures, the CISO at Wells Fargo estimates that his company recently reduced exposure to phishing by 40% through a renewed training program. According to our own data collected from real-world business environments, when employees are called out by their employer, close to 80% make changes and become more security-conscious. This proves that training needs to be an ongoing process — one that's cyclical, not static.
In that sense, NISPOM 2 is a good step forward, although training should be mandated continuously, on an as-policy-violations-happen and at-least-once-a-quarter basis vs. annually, as required now.
In addition to mandated end-user training, NISPOM 2 also requires contractors to have a written insider threat plan in place, and to conduct more frequent self-assessment reviews, ensuring that related policies and practices are effective. In general, I think this approach works because it calls for greater accountability across the board from these contract holders.
In addition to these practical tactics of increased training and more frequent self-review, NISPOM 2 would appear to be an improved strategy for insider threat mitigation as it specifically calls for the involved contractors to increasingly do these three things:
- Be aware of the signs of insider threats
- Be cognizant of penalties for leaking sensitive information
- Know how and to whom to report any suspicious behavior
NISPOM 2 also goes one step further in requiring a minimal level of security around insider threats from other government partners, such as IT systems integrators. In general, the mandate is more thorough and prescriptive than previous efforts to address this range of potential risk factors.
So why is this happening now? This change comes as a direct result of high-profile insider cases such as those of Snowden and Harold Thomas Martin, who both were contractors. It's that simple.
At the same time, the Chinese army's alleged cyber spying unit, known as Unit 61398, actively targets contractors' home systems, in addition to their work systems, to gain access to U.S. government networks.
It would seem safe to assume the other state actors are employing similar tactics. At the end of the day, this is because the perception is that contractors are easier to subvert and therefore make better targets.
By pushing federal contractors to be more aware and focus on mitigating the insider threat, the federal government is taking a purposeful step toward protecting the core of its domain. As a result, this effort is likely to help build a more secure environment across the board.
If you want to win the game, you need to keep at the training and make sure everyone on your team is working together. If you do, you're almost certain to see better results on the playing field.