In this interview with Help Net Security, Nathan Hunstad, Deputy CISO at Code42, explains the importance of addressing insider threats, how to make sure your employees are aware of the problem and how to make them proactive.
SOC analysts are well-prepared to deal with external threats. Why are internal threats more complex for them?
Insider risk is a fundamentally different problem than malware or external threats for security teams, which means that protecting data from insiders requires an altogether different approach. Internal threats are more complex for SOC analysts because the intent is not black and white. With external threats, there’s no questioning – it’s a malicious attack and should be dealt with as such. But when potential breaches come from internal sources, like a teammate or even an executive, it’s not always clear whether the offender is even aware of the mistake they made.
Because of this, the approach to addressing insider threats should be far different. SOC analysts need to rely on more than just their own expertise to tackle internal threats, drawing members from both the legal and HR teams into the fold to properly assess the situation. Part of the internal threat investigation process is exploring and unlearning unconscious biases to ensure all individuals are being treated equally, regardless of position, tenure, or background. The human aspect of these investigations, coupled with a less intense block-and-tackle approach, means there is a lot more nuance and complexity to tackling potential internal breaches.
Where does internal threat complexity come from and what is the best way to deal with it?
While insider threats are not a new problem, it has become increasingly urgent to proactively address them. The shift toward a vastly distributed workforce, reliance on cloud tools and digital applications, and employment patterns like the Great Resignation and recent layoffs have contributed to a rise in the exposure, threat and loss of valued data and IP. Many internal breaches are not caused by malicious actors, but by employees simply trying to do their jobs in the most efficient way possible, which could mean utilizing unsanctioned apps, platforms, or tools. While employees are leveraging these tools with the best intentions, they’re typically unaware that their actions have consequences that could impact the entire organization.
Keeping track of the tools they can and cannot use can quickly become too complex or overwhelming to employees who may deprioritize (or simply forget) company-sanctioned security practices in favor of what’s more convenient at the moment. The best way to avoid a data exfiltration incident with an individual at your company is by educating every employee at your organization thoroughly and frequently, and creating a culture of understanding, communication, and empathy among all teams and levels. This shouldn’t be up to the security team alone to tackle – rather, it requires the cooperation of the security, HR, legal, and executive teams to create a truly lasting and impactful culture shift.
How to best approach the investigation knowing the user’s intent was not malicious?
The best approach to an insider-lead data incident investigation – even before you know the user’s intent – is to start with empathy. This can be a difficult mindset shift, as dealing with internal folks is way more fraught with challenges – it’s far simpler to triage all risks with the same tools and techniques at our disposal for external threats. However, this is the first step in building trust between the security team and the rest of the organization so the company can ensure the best path forward together.
Taking the time to properly connect with the employee in question, so that you understand their point of view, is essential to making sure the situation is handled appropriately. The “why” is a critical component of any insider-related investigation. And, as with all things, how you go about getting to that “why” is going to make all the difference. For example, maybe the employee was simply trying to accomplish a task and took a shortcut to get it done in time.
Another critical mindset shift is presuming the positive intent of your coworker — rather than assuming guilt. This doesn’t mean giving employees complete freedom with company data, it just means not assuming malintent without evidence. By ensuring you understand the employee’s point of view, and reassuring them that the security team is on their side, you create a dynamic in which both parties are more likely to be honest and can collaborate to find the best path forward.
How to create awareness among users and make sure it has a long-lasting effect?
Most companies hold security training as part of their onboarding process; some may also have an annual training refresh. However, even a once-yearly reminder of security protocols isn’t enough to ensure proper retention. The best way to create awareness among employees and make sure it sticks is to couple annual, biannual, or monthly training refreshes with active, in-the-moment reminders. Education can reduce alert fatigue and drive secure work habits by sending relevant, bite-sized content to inform users, which are automatically triggered by the actions that put data at risk.
For example, if your company doesn’t allow employees to share data using a specific file-sharing tool and someone tries to use that tool, stop the employee at the time of the event and share a short video about how to properly share files. This will remind employees of company policies and can show them appropriate alternatives to use instead. Guidance at the time of the misstep is highly effective at making sure the lesson sticks.
When it comes to your colleagues, simple education, delivered at the right time, can go a long way toward steering behaviors and building a security-aware culture — to getting end users working with you to mitigate harmful insider behaviors. This shift in approach results in expanded control over the data leaving your organization and secure work habits to decrease future chances of insiders putting data at risk.
Is there a universal solution to avoid internal breaches or does every company require a different approach?
Every company is different, which means every company will have specific processes and tools that work best for them. Insider risk requires an approach purpose-built to handle the specific nature of threats that come from inside an organization. However, there are insider risk management (IRM) software solutions available that can help automate some of these processes, and there are general steps every company can take to ensure proper compliance and thorough investigations:
- Identify and work to eliminate unconscious biases that may hinder appropriate action.
- Take the time to communicate with the offender to understand their point of view.
- Remind the offender of your supportive partnership to create an environment of honesty.
- Educate the offender about the best alternative courses of action for the future.
- Ensure any leaked or compromised data is handled appropriately.