Assessing Insider Risk


Billington CyberSecurity’s 4th Innovation Roundtable at its 13th Summit

Private and public sector cyber experts discussed the risks imposed by insiders and the impact they have on an entity’s cybersecurity at Billington’s 13th Annual Summit in September 2022. The group highlighted things heightening the insider risk, considered reasons why this risk might be overlooked, and suggested things to consider when addressing the issue to shape an effective response.

The group highlighted that over the past two years, there have been changes in the ways that companies are having to think about insider risks in new ways. The past year has seen an influx of worker mobility that has employees moving between companies heightening the potential that employees will take proprietary material with them. Better overall cybersecurity increases the potential that threat actors will turn to recruiting insiders to assist with their espionage activities, while cyber intruders are increasingly leveraging insiders – witting and unwitting – to establish better persistence, establish greater privilege access, and to move laterally with networks to go after key targets

The group also considered why the private and public sectors might not consider these heightened risks. Many cybersecurity programs continue to focus on edge protection, are overworked, and lack a good understanding of their organization’s mission and their crown jewels. Additionally, an organization might have lax rules about user behavior and what they can access following logging in, have a mission first imperative that places “get the job done” priority over “how it gets done” resulting in data security holes allowing users to take what they want without being monitored or logged. Additionally, cross-organizational data sharing could open doors for risky behavior – both intentionally and inadvertently – to occur.

Group discussion also focused on areas to consider when building an effective response to insider threat. The group considered that as most things relevant to building an effective zero trust environment, a better understanding of what makes up an organization’s system – users, applications, data – is a good starting point to help identify potential insider risk. Organizations should also pre-determine what was acceptable risk as it applies to users working within their systems as well as managing those risks as individuals left to work somewhere else. The group agreed that the answer should always be greater than accepting all risks but find ways to reduce the impact of organizational productivity.

A key focus of the discussion centered on the concept of leveraging a better understanding of user organizational roles and behaviors – both acceptable and unacceptable – as essential components to any risk mitigation strategy. This understanding would provide a better framework to help determine intent—malicious versus legitimate, accidental, or genuine curiosity. Knowing, for example, common user behavior such as normal log in patterns, what they were supposed to access, who they normally associated with, and their relationship with the organization, could all lead to better risk management as things change.

The group also highlighted some common mitigations that could reduce insider risks. These included:

  • Better established, automated, and configurable rules of behavior and workforce education on them;
  • System flagging and monitoring, looking for rule violation and a dedicated team focused on investigating these anomalies;
  • A consequences-based response system combined with communication that showcased results; and
  • Inclusion of process-oriented activities (e.g., checking references as well as supervisor feedback during the hiring process) are effective non-automated security controls that are essential to an effective insider threat program.