Understanding Insider Threats and How to Protect Your Organization
Insider threats across many industries are on the rise, and there’s no immunity for healthcare.
While retail and financial services have experienced the largest share of increases, according to Ponemon Institute’s 2020 Cost of Insider Threats Global Report, insider threats have increased almost 50% from 2018 to 2020.
What’s at the source?
According to the Ponemon report, employee negligence causes most of the incidents, which, on average, cost more than $300,000 per event.
And while malicious intent or bad actors with credentials made up a lower percentage of the threat landscape for 2020, they were more expensive, with an average cost of almost $872,000 per incident.
Insider threats can take an organization an average 77 days for discovery and containment, with fewer than 30% of these incidents contained in less than a month.
What Exactly is an Insider Threat?
The National Insider Threat Task Force (NITTF) defines an inside threat as, “any person with authorized access to an organization’s resources,” which includes people, facilities, information, equipment, networks, or systems.
Insider threats can include people with malicious intent, but also issues that arise from lack of oversight, lack of education, complacency, unintentional acts, or human errors that negatively affect data confidentiality, integrity, and availability, as well as personnel, related resources, and facilities.
Five Insider Threat Expressions
While the roots of insider threats may vary, there are five primary expressions for where insiders may want to do harm:
- Espionage, for example, when someone within your organization actually represents another organization and they’re trying to obtain information about your business
- Sabotage, for example, when an insider knowingly destroys your network, infrastructure or data
- Theft, for example, of money or intellectual property
- Cyber, for example, a phishing attack that launches malware on your network
Common Indicators for Insider Threats
Since it takes an average of almost 80 days to discover and contain an insider threat, there are some common indicators your organization should keep front of mind.
First is understanding insider threat intent. While you can’t control someone else’s thoughts, character or intent, your goal is to reduce insider threat opportunities and capabilities, regardless of motivation.
Questions to consider about insider threat opportunities:
- Location: Where are they located? Who are the next to? What do they have physical access to?
- Authority: What type of authority do they have within your organization? Do they have the authority to access critical or sensitive systems and/or protected data?
- Convenience: How are you handling identity and access management controls? Administrative controls?
Questions to consider about insider threat capabilities:
- Access: What areas of your organization/systems/data/facilities do they have access to?
- Training: Are they properly trained? Do they have limits on abilities to modify systems, data, or processes? Do they understand the impact of things like phishing emails and ransomware?
While human errors or accidents may be a little more challenging to predict and protect, when you’re looking to protect your organization from insider threats, it’s also important to understand some of the key triggers that could motivate someone from initiating a malicious or intentionally harmful act.
Here are a few areas for attention:
- Emotional Issues
- Workplace relations
- Personal problems
- Financial Motivation
- Foreign affiliation(s) such as state actors or political actors
- Corporate loyalties, such as espionage
- Personal ideology
- Mix of all of some or all of the above
Common Mistakes That Facilitate Insider Threats
Now you know what to look for when building a proactive strategy to protect your organization from potential insider threats, let’s take a closer look at some of the common mistakes that could happen within your organization that fuel these threats as they evolve from ideas to reality.
- Lenient or Unrestrictive Hiring Practices
Finding skilled workers can be difficult in many industries, but when it comes to protecting your organization from a range of threats, it’s important to not have lenient or unrestricted hiring practices.
Ensure you have screening processes in place that can help you understand a person’s intent in joining your organization before hiring. Other issues can arise if your organization doesn’t conduct background checks or your checks don’t carry enough weight in the hiring process.
Here are some other contributing factors related to lenient hiring practices that could increase your risks from insider threats:
- Not performing phycological (personality) reviews during the hiring process to identify potential workplace incompatibility
- Not verifying information candidates submit (references, resume, education, credentials, etc.) and instead taking everything they submit at face value
- Lack of Quality Security Awareness Training
Another contributing factor is not having security training about insider threats, which is key in helping your entire workforce understand common indicators and what to keep an eye out for.
You may also increase risks if you do not regularly test efficacy of your security awareness training or fail to regularly update the training as the threat landscape changes.
- Lack of Employee Activity Monitoring
Even if you properly train your staff, if you don’t have systems in place to monitor activity, you may be at greater risk of a successful insider threat exploit.
Consider employing appropriate audit logging mechanisms and be sure to routinely update your administrative, technical and physical controls whenever you add new systems or have changes in your environments.
Information System Activity Reviews
One of the most effective ways you can strengthen your organization is to conduct routine information system activities reviews – for example, evaluating your software and hardware activity logs from a baseline to spot irregularities and anomalous activities. A comprehensive information system activity review should include compliance, privacy, and security.
These reviews are also required by HIPAA, so you’ll want to be sure you’re including them and other insider threat-related processes in your overall security program. That should also include regular reviews of your audit logs, access reports, and security incident tracking reports and log-in monitoring. Consider implementing a range of audit controls, too, to ensure all activity related to electronic protected health information (ePHI) gets recorded and routinely reviewed.
Suggested Activities For Review
In addition to planning for these routine reviews, here are some recommendations about suggested activities that can help decrease your risks from insider threats:
- Review all user access logs so you always know who's logging in, when, and where
- User account
- Login time(s) and location
- Failed login attempts
- User access log modifications and deletions
- Record view logs
- This should include access logs of sensitive files, records, applications, or services
For an extra layer of security, here are some other important questions to consider:
- Can users access your logs and modify or delete sections of those logs?
- Do they have the ability to erase evidence they were actually there in the first place?
- Can you see and verify who accesses which records and what gets modified?
Protecting Your Organization From Insider Threats
Now that you have a better understanding of what insider threats look like, motivating factors, and how you can seek them out, let’s take a closer look at a couple of ways you can add insider threat intelligence and practices to your overall cybersecurity and privacy program.
- Conduct a review and develop an inventory of information systems and applications that require system activity reviews.
- Ensure you have proper data-mapping of your ePHI throughout your environment, both internally and externally
- Identify systems or applications that create, store, maintain, or transmit ePHI
- Identify resources and touch points, which may not be limited to information security team and could also include:
- Security Operations Center (SOC)
- Understand your current system activity review lifecycle, including all people, processes, and technology
- Leverage your findings as part of your Strategic Action Plan (SAP)
- Have actionable policies and procedures in place
When you’re writing policies and procedures it’s important to ask yourself, can this actually be done in my environment?
- Determine roles and responsibilities
- Prepare for system activity reviews
- Do you have necessary safeguards to protect the confidentiality, availability, and integrity of audit trails and information system activity review reports?
- Do you collect evidence of system activity reviews that identify the when, who, and what is reviewed?
- Do you retain this information for asset time period?
- Have you employed automated processes to help identify anomalies or unusual activity?
- Conduct activity reviews
- Segregate between system administrators and the system activity review team
- Follow-up with investigation and escalation
- Train your workforce for all members who play a role in the system activity review lifecycle
- Every person in your organization is a sensor for insider threats. Some of the best resources you have are the people who use your systems every day. With the right training, they can become your biggest insider threat allies.
- Have a feasible and agile plan
- Continuously review your systems, processes, and technology and develop strategies for improvement and maturity
- Take into account:
- The size, complexity, and capabilities of your organization
- Look at the big picture
- Have you engaged all your stakeholders so you can understand, review, and manage your technical infrastructure, hardware, and software security capabilities?
- The costs of security measures … is this something we can afford to do?
- The probability and criticality of ePHI potential risks
- Take into account:
Implementing a System Activity Plan
When some organizations begin conversations about implementing a system activity plan, they can get so caught up in the details, it becomes overwhelming and makes it challenging to see the process all the way through.
A more digestible approach is to consider developing a plan through a phased approach. Here are few recommendations that may help:
- Phase 1: Six months to one year
- Create key objectives first. These tasks will likely have a low financial obligation. It’s stuff you can implement quickly and without a lot of approvals or work.
- Phase 2: One to two years
- These objectives may have a moderate financial obligation and need some approvals and additional work and attention.
- Phase 3: Two to three years
- This would be the time you begin to implement items that have higher financial obligations and that will generally take a much longer (and require more approvals) to implement.
Need help building a program to identify insider threat risks and mitigation processes for your organization? Not sure how to successfully integrate system activity reviews into your current environment? Connect with a Clearwater advisor today, and we can help.
- Understanding Insider Threats and How to Protect Your Organization - February 26, 2021