Spend time with retired four-star General James Jones and you will likely hear his ominous bifurcation of “those companies that have been a target of a cyberattack, and those that will be.” As former U.S. National Security Advisor to the President and Commandant of the Marine Corps, General Jones dedicated his career to understanding, mitigating and preventing security risk at all levels.
Commercial industry has been actively addressing cyber risk for decades while attacks have only increased in frequency and severity. Most people associate cybercrime with external threats and nation states and criminal hacking into a company’s network. A lot of investment has been dedicated toward protecting the perimeter and keeping these bad actors out. The reality is that cybercrime is committed by a combination of individuals outside and inside a company. Insiders, those who the company either recruited or hired, often account for half the financial loss and crime.
Criminal theory tells us that crime is a function of motivation and opportunity. To address the rising concern of insider threat, most organizations have almost entirely focused their efforts on the opportunity side of this equation: monitoring digital activity within the workplace and controlling access to limit opportunity. This form of internal network monitoring may include access and movement of files, folders, documents, websites, as well as internal email communication. The objective is to identify, understand and document suspicious, illicit or illegal activity and then limit or shut down access to sensitive, confidential or financial data.
Think of this as the final line of defense. The threat has become active. The crime is being attempted now. The plan is to identify the initial activity fast enough to remove or negate the opportunity and protect the organization from a crime in progress.
Today, companies not only defend against cybercrime but aim to stop emerging threats posed by the insider by expanding their focus to the human side of this risk. Most cyber experts agree that people (employees) are usually the most vulnerable link in a company’s cyber defense. Many organizations view this employee risk through the lens of careless keystrokes or poor cyber hygiene (“do not click that link,” “do not open that document,” “do not use the word ‘password’ as your password”). This human risk is a function of undereducated or inadvertent behavior. Risk caused by negligent behavior can be addressed through proper training and procedure.
Unfortunately, not all human risk is driven by error. Insiders can also consciously engage in illegal activity, so companies must understand and address the motivational aspects of crime. Consider that employees do not just suddenly show up for work one day and decide to defraud their company or commit an act of cybercrime. Certain specific events and circumstances pre-date workforce crime.
The key for companies is to identify those employees that are susceptible to commit an illegal act or vulnerable to the influence of nefarious external actors looking to exploit them for financial gain. These are employees who, unbeknownst to their company, are under criminal, financial or other personal stress. These individuals are the hardest of threats for an organization to defend against. Because of their insider status they can understand and learn the company’s defense systems and work to bypass or suppress them.
For the good of the employee, coworkers and the organization, companies must always be aware of material changes to employee behavior both in and outside of the workplace. Know your employee initiatives emphasize the need to seek a holistic picture of your employees over time, as well as the timely identification of aberrations or unusual patterns of high-risk behavior (for example, repeat or escalating criminal activity outside the workplace or sudden and drastic changes to someone’s personal financial condition). Such behavior, which would have been disqualifying in the hiring process, may occur six months, a year or five years later and remain undetected, thus unadjudicated by the organization.
People’s lives change all the time for common reasons (e.g., they get married, have children, buy and change homes, care for family members, pay for college and/or cope with medical challenges). Significant change can produce a level of personal stress that often is temporary or addressed through constructive and positive behavior. However, sometimes high levels of stress can spiral out of control, and many times it is not obvious to family, friends, coworkers and managers.
The human side of cyber risk management is inherently people-oriented. The key to any organization is finding the balance between the risk management goal of protecting an organization and the personnel goal of building a culture of trust. The answer is not to accumulate as much employee data as possible (i.e., sifting through good and bad behavior hoping to identify risk). In addition, it is not about continually rerunning background checks or monitoring the everyday, common behavior of your employee base when they leave the office.
The solution must be event-based, seen in real time, actionable and driven by those specific behaviors your organization deems high-risk within the context of your industry, your company, and each employee’s role. For example, a company would almost certainly define a financial controller being arrested for check fraud or an employee who drives a company car being arrested for DUI as high-risk behavior. Certain roles are indeed mission critical and timely alerting is essential to risk mitigation. Contextual policy is important because not every employee has the same level of access to financial transactions, customer personally identifiable information, credit card accounts or sensitive data.
The solution must also support the rights and privacy of employees. Technology can help standardize execution, ensure legal and regulatory compliance, drive proactive and transparent cyber risk policy and most importantly remove personal bias and ad-hoc judgmental decision-making. That is how you strike a balance in protecting both the organization and the individual for success.
Finally, insider risk management is not limited to solely protecting the organization from cybercrime. With early leading indicators and warning signs of behavioral risk, companies can now assist employees who are not asking but need help. The company can intervene at a time where behavior can be positively modified through training, counseling or one-on-one interaction. Course correcting behavior can better ensure an employee’s success in a current role and a long-term career path. The ultimate win is realized when companies prevent insider risk from occurring well before it places an employee’s job at risk or becomes an actual insider threat to the organization.
For information on how you can identify where your organization is most vulnerable to a cyber-attack, please visit: http://www.acams.org/cyber-enabled-crime-training/.