More companies and federal agencies have chief information officers than ever before, and keeping data safe in the age of disruption is a complex task. The age of the desktop computer as the main means for transferring and receiving information is over, and as more organizations shift to digital effective insider threat mitigation becomes more essential.
A panel of insider threat experts converged at the Forcepoint Cybersecurity Leadership Forum on Wednesday at the Newseum in Washington. Mark Hakun, the deputy CIO of the National Security Administration, Brig. General Kevin Nally, CIO of the U.S. Secret Service, and Michael Theis, the chief counterintelligence expert at Carnegie Mellon University, made a few recommendations for companies and agencies in developing insider threat plans.
1. Know your critical assets
“You have to know what your critical assets and your critical business processes are first, because that’s your highest priority for protection,” Theis said. “Then, once you know that, then you have to figure out what you’re trying to protect it from. Every agency is going to be different.”
But what are you protecting against: outside attackers, insider threats or malicious and unintentional threats?
“If you can prevent a regular user from doing something malicious, you’re probably preventing most of those outside attack issues as well,” Theis said. “From our perspective, prioritize it based on what your mission is, what you’re trying to protect and what you’re trying to protect it from.”
2. Authentication: know who’s on your network
“It has to be comprehensive. You can’t just cover a segment of your network, you have to have to do it from end to end. You have to think every device is now on the network. Where it just used to be the desktop, its now the mobile phone, the iPad,” Hakun said.
“I would emphasize the authentication piece, making sure you know who is logged on and making sure they have the authority to go do that,” he added.
3. Know your people
Nally, who declined to reveal specifics on the U.S. Secret Service’s insider threat program, said that it is the best in the country.
“Get to know your people,” Nally said. “As much information as you can obtain from them that they’re willing to provide to you. Are they a potential threat to you, not physically, but are they a potential threat to your organization or your agency? Are they having financial troubles, are they in a relationship that they are having difficulties with, kids, travel? Just get to know them so you can be aware.”
4. Continuous evaluation
A majority of employees who engage in fraud do so after being employed from between five to eight years – after background screenings and security clearances have long-since been issued, Theis said, adding that Carnegie Mellon University is working on predictive tech that will detect unintentional problems with an employee’s performance before it occurs.
“When you hire a person, you’ve done a background screening and you’ve made a judgment of trust, but when do we reevaluate the judgment of trust?” Theis said. “We realized that just like regular malicious insider threat, which has different categories like IT sabotage and fraud and intellectual property theft, that unintentional has different categories as well.”
“…Then we started looking at how could you baseline the unintentional. In other words, if you know what a person’s baseline is, could you determine that they might turn into an unintentional problem? So that’s kind of the next phase that we’re taking that to.”