In cybersecurity, threat actors are often viewed as far-removed adversaries looking to exploit our networks or extort our organizations for their own personal gain. But they are not always distant threats. There are also insider threats, which come from our trusted co-workers and colleagues. And while these threats can sometimes be malicious, often they’re accidental or result from a lack of cybersecurity knowledge. As a result, mitigating insider threats requires a nuanced approach that balances the concerns of human resources, legal departments, and security.
The month of September was National Insider Threat Awareness Month. TransUnion hosted a virtual roundtable to discuss awareness and best practices. The panel discussion included Charles Margiotta, Director of the National Insider Threat Task Force (NITTF), Daniel McGarvey, Senior Principal Business Analyst with Alion Science and Technology, and Jeffrey Huth, Vice President, Product and Technology, Public Sector with TransUnion, who provided insight into the complex nature of insider threats, mitigation, and strategy.
There is a human side to all of cybersecurity. And with insider threats, the human element may sit in the office next door. Access to information and systems is key for threat actors. A key element in understanding the risks of insider threats is to understand motivation. “If our staff are under financial stress, they become targets,” Huth illustrated. “Everyone is a target. We need a program to address this, “ Margiotta confirmed. When our employees begin missing loan payments and fall into financial hardship – all information sought by outside cybersecurity threat actors – they can become possible threat actors themselves.
When hiring our credentialed new staff, the clearance process discovers any possible risks of the individual. But the roundtable discussed the need for continuous evaluations, allowing constant checks on the financial distress levels of staff, and alerts on individual’s data that may indicate the susceptibility of our staff to being targeted. Collecting data, analyzing, and sharing this with departments and other agencies is helpful in reducing the impact of risk, but also a complex issue that interacts with privacy laws. The NITTF has published a library of resources, including guidelines to help us navigate insider threat mitigation.
Ideally, potential risks are identified and our staff are supported in a way that disallows their involvement in harmful actions. McGarvey shared an example of how an organization can approach insider threat, “It should be as inclusive as possible, involving clergy, legal, HR, medical professionals, IT, security, etc. A security perspective looks at protecting the organization. HR looks at helping the employee to be most effective…by doing that, we created an understanding that it’s a “we” problem, with a “we” solution. We need to create a game plan, develop policy, structures, understand how data is saved and shared, and identify what mitigation looks like. This all requires advanced thinking.”
The current trend has been an adjudication model that is not very forgiving. “The resiliency model looks at mitigation rather than punishment solely. We may end up with an employee who is grateful for helping them to overcome some difficulties,” McGarvey explained. “Even with clearanced individuals, many are living paycheck to paycheck. Once you know this, you can develop programs…We can get in front of the situation and help individuals,” agreed Huth.
Cybersecurity is a human problem involving complex technologies. Insider threats are the same yet have complexities, nuance, and added risks. The solution must be as intricate as the problem. Our agencies need insider threat mitigation to be resilient, focused on the best outcomes, and involved early enough to prevent threats and help our staff become the contributors that they were hired to be.
To view the Enhanced Insider Threat Detection roundtable in its entirety, click here.
