The Board’s Critical Role in Mitigating Insider Threats

Insider Threat Today

“If everything seems to be going well, you obviously don’t know what’s going on.”
~ Edward Murphy

The insider threat is not a new phenomenon.

There is always a consistent flow of news about companies getting attacked from the outside.

However, insider incidents are not usually reported unless privacy law-regulated data is impacted.

The topic of insider threats has received growing attention due to the high-profile incident committed by Edward Snowden, who was the leaker of confidential information from the NSA.

Insider threats are an intriguing and complex challenge. However, some assert it is the organisation’s most significant threat today.

Threats to the organisation’s most precious assets may well come from within.

As many organisations are learning, inside threats can significantly impact their reputation, operations, finances, employee safety, and shareholder value confidence.

Here are some examples:

  • 2020: JP Morgan Chase – A former employee was convicted for unauthorised trading. He worked in the bank’s London office and engaged in risky trades that resulted in massive losses of approximately $2.3 billion. He concealed these trades by manipulating internal records and exceeding trading limits.
  • 2021: Proofpoint – A former employee stole confidential sales enablement data before starting a new job at competitor Abnormal Security. Alarmingly, Proofpoint’s own solution for preventing data loss (DLP) couldn’t hinder the employee from downloading high-value documents to a USB drive and sharing them.
  • 2022: Yahoo – A research scientist stole proprietary information about Yahoo’s AdLearn product minutes after receiving a job offer from The Trade Desk, a competitor. He downloaded approximately 570,000 pages of Yahoo’s intellectual property (IP) to his personal devices, knowing that the information could benefit him in his new job
  • 2023: Tesla – Two former employees leaked sensitive personal data to a foreign media outlet. The leaked information included names, addresses, phone numbers, employment records, and social security numbers of over 75,000 current and former employees.
  • 2023: Reddit – An employee was lured into interacting with a deceptive landing page, posing as an internal site, which granted attackers access to select Reddit systems. This incident compromised a database that contained email addresses and logs with user credentials dating back to 2007.

Simply ‘being aware’ of insider risks is not enough for the Board in this “New Normal”, so understanding the criticality of such risk is vital to corporate survival.

Insider threats deserve the heightened attention of leadership so that organisations are equipped to effectively prevent, detect, deter and respond to emerging threats.

If the risks are not understood, and often are not, this will create untold risks for an organisation.

For example, the Chief Information Officer (CIO) typically views insider threats from a holistic perspective encompassing technology and information. The chief information security officer (CISO) may view insider threats exclusively through the lens of data activity. While a chief security officer (CSO) may view insider threats through the lens of suspicious behaviour as they interact with the organisation’s facilities. The human resource manager may view insider threats through the lens of performance feedback.

These fragmented concept of what constitutes an insider threat do not account for the holistic and complex nature of how individuals interact with the organisation they work for.

Many organisations exist today with an illusion of security, both virtually and physically. Illusion can create a false sense of security.

Insider threats include various acts that can impact an organisation’s brand, reputation, financial standing, and national security.

The Essential Truth Of Insider Threats

“90% find insider attacks equally or more challenging to detect than external cyber attacks.”
~ Cybersecurity Insiders: 2024 Insider Threat Report

Human behaviour is the centre of the problem of insider threats.

Insider threats exist in every organisation because the employee or insider comprises the core of an organisation’s mission, operational plan and is the key driver of its business objectives.

An insider may be an employee, contractor, vendor, partner, or even a visitor provided with internal access privileges.

It is essential to realise that every insider is a potential threat to the organisation, each to a varying degree on the surface but having significant risk factors.

Why is that?

It is fundamental to realise that every person in an organisation is unique.

Every person has a distinctive behaviour shaped by their beliefs, values, ideas, desires, thoughts, skills, attitude, motivation and perceptions.

When people go to work, they bring with them their frames of behaviour.

The majority are engaged and positive. Unfortunately, some are disengaged, and a few are counterproductive and harmful.

With that in mind, organisations solve such risks by having essential policies and procedures to address employees’ acceptable behaviour.

However, these policies and procedures are rendered useless if employers neglect to adhere to them. Here are some examples:

Some insiders may conduct themselves at high risk because their organisation lacks defined policies, training, or communication.

Some insiders may use technology illegally to get around compliance systems, placing the organisation in breach.

Some insiders may ignore organisation policies and procedures because they are too complicated, convoluted and not adhered to by management.

Some insiders may steal intellectual property to start their own competing company, go to a competing organisation or even sell the information to a criminal organisation or a foreign state.

Some insiders may commit fraud by funnelling business contracts or jobs to fictitious companies that they have created or crime partners.

Some disgruntled employees may intentionally place malware within the organisation to cause significant disruption and harm.

Some insiders are self-serving and will look for any opportunities to misuse information that they may have access to their advantage

Any person can potentially harm the organisation for which they have insider knowledge, trust, and access, whether accidentally or maliciously.

They can negatively impact any aspect of an organisation, including the operations, finances, reputation, the safety of its people, and its mission.

Understanding current behaviour, shaping that behaviour as needed and predicting future behaviour is necessary to mitigate risk to the organisation. If it does not, there will be an even more increased risk.

Is Insider Threat On The Rise?

“From 2019 to 2024, the number of organisations reporting insider attacks increased from 66% of organisations to 76%.”
~ Cybersecurity Insiders: 2024 Insider Threat Report

1. Ever-growing technology transformation and innovation

Today, insider threat activity has increased because the information is more readily transferable due to the flexibility of technology and accessibility to the Internet.

To illustrate this fact, one has to look at mobile telephone technology and see how it has evolved over the past 20 years to understand the nature of change.

Children are now metaphorically born with an electronic tablet in their hands. However, they are not born with accompanying computer security books to help them understand the technology they are provided.

More and more people have access, not just at a basic user level. This expansion introduces a new layer of users from mobile technology, access, and applications.

Significantly, it is no longer necessary for insiders to handle assets of information physically.

The increasing volume, value, and spread of proprietary information have increased the threat posed by malicious insiders stealing information and those who accidentally leak it.

2. In daunting times of severe stress, anxiety, and fear, employees’ state of mind will be increasingly challenged.

We’ve already seen how the COVID-19 pandemic and a global shift to a distributed workforce have affected people’s well-being.

Quarantining and closures have upended normal operations for nearly every organisation, driving some out of business.

Many workers still on the job have swapped their offices for living rooms.

According to Randy Trzeciak, deputy director of risk and resilience in the SEI’s CERT Division and director of the CERT National Insider Threat Centre, “this unprecedented operational climate has increased risk factors for insider incidents.”

3. Insiders have become the most critical threat any organisation can have, more crucial than competitors.

For many years, we have seen robbers come directly with a weapon to steal money from the bank.

Not anymore. The attacker recruits, bribes or coerces employees for such a task so that no one is aware.

Insiders are actively looking for unsatisfied employees from many organisations willing to sell their services to cybercriminals to inflict harm on their employers.

Take the example of a Russian citizen who wanted to pay an employee $1 million to plant malware in a US company targeting electric car maker Tesla.

The goal was to steal data from the automaker and threaten to release it unless Tesla paid a ransom.

Fortunately for Tesla, the unnamed employee reported the hacking attempt to the automaker. The employee then began secretly assisting the FBI in helping them gather evidence against the Russian, which led to his arrest. 

We want to believe our employees are good people. We want to believe that employees are honest, loyal, and have the right integrity. But unfortunately, it’s not a typical case.

People are generally interested in taking care of themselves first.

Employees often seek a satisfactory work environment. However, many employees will simply take the job they can get or the job that will pay them the salary they need despite having other interests.

In the end, the employees’ position may align well with their core values, and the compensation and benefits package may also be misleading.

Unhappy employees are more likely to make errors through negligence or be disgruntled and circumvent security policies because they can, which may be costly to the organisation.

The only way to find these people before they do irreparable damage to your organisation is by understanding human behaviour and knowing when their activities don’t match their profile.

The 2024 Insider Risk Investigation Report by DTEX Systems found that 15% of employees take sensitive IP when they leave their organisation. It also highlighted that 76% of departing employees take non-sensitive proprietary information.

4. The attack surface for insider threats is wider.

This can include employees, third-party contractors, supply chain vendors and more.

The use of trusted business partners is common today. Organisations outsource primarily to cut costs.

But today, it is about cutting costs and reaping the benefits of strategic outsourcing, such as accessing skilled expertise, reducing overhead, flexible staffing, increasing efficiency, reducing turnaround time and eventually generating more profit.

Unfortunately, organisations often fail to recognise the increased risk of providing insider access to their networks, systems, information or premises to those individuals and organisations with whom they collaborate, partner, contract or otherwise associate.

For example, MyPayrollHR, a now-defunct cloud-based payroll processing firm based in upstate New York, abruptly ceased operations in September 2019 after cheating employees at thousands of companies.

It is alleged that the CEO was involved in wrongdoing and misconduct, resulting in countless people having money drained from their bank accounts and has left nearly $35 million worth of payroll and tax payments in legal limbo.

5. State-sponsored attacks are on the rise.

The latest 2024 Insider Risk Investigation Report by DTEX Systems found a 70% increase in foreign interference since 2022.

Foreign states can directly employ hackers through their militaries and government authorities. They can also fund them indirectly. This makes denying the state’s involvement easier if the attack is detected. This, in turn, can decrease the diplomatic repercussions these attacks can have. It also blurs the line between criminal organisations and government groups.

An excellent example of such an attack was when one of Apple’s engineers was accused of sharing information about the company’s autonomous vehicle program with the Chinese government.

The engineer was allegedly a malicious insider who was wilfully acting on behalf of the Chinese government to steal trade secrets.

The Importance Of Board Oversight

“Leadership and learning are indispensable to each other.”
~ John F. Kennedy

This quote by former President Kennedy addresses one of the essential elements of effective leadership: knowledge. 

In the context of leading an enterprise, not only are its leaders expected to establish a tone at the top of the organisation for high ethical standards, but board members must establish a safe and sound governance framework and provide active oversight to their organisation.

Now that the importance of Insider Threats has been established, the next step is to understand the exact nature of the role that the board members need to play.

In its role of oversight, the Board not only looks at the organisation’s financial systems and controls but is also duty-bound to oversee its overall cybersecurity and insider risk management, including appropriate risk mitigation strategies, systems, processes, and controls.

From a governance perspective, one of the most important priorities for the Board is to verify that management and executives have a clear perspective on how businesses will be affected and have the appropriate skills, resources, and approaches in place to minimise the likelihood of an insider threat incident and mitigate any damages that may occur.

The following are a few ways to create a solid ecosystem to enable Insider Risk decisions at the Board level:

1. Protection of Crown Jewels

With the advent of advanced adversaries, there will always be gaps in security controls, making it impossible to protect everything.

The best practice is to look at high-value assets or crown jewels (which may differ from one organisation to another according to industry-based regulations) and have risk or value-based governance mechanisms around them.

These risk categorisations will be an essential input to the cyber strategy and help the Board evaluate the risks to be accepted, mitigated, transferred, etc.

2. Cultural awareness

There is a strong recognition of the Board’s responsibility in setting the “tone at the top.”

The Board’s mission is to provide oversight and strategic support for management efforts to create long-term value.

There is real rigour and maturity around financial performance, and the exact needs to be done with culture.

Culture is the most critical enabler of a successful strategic implementation of internal behaviour risk.

While many programs focus on catching and responding to negative behaviours, it’s also important to directly and vigorously address the cultural issues that drive insider threats.

Traditional security management practices constrain users, monitor their behaviour, and punish misbehaviour. Such negative incentives attempt to force employees to act in the organisation’s interest and, while relied upon extensively, can result in unintended negative consequences.

Organisations that successfully addressed risky human behaviour by shaping a positive workforce environment – a positive culture.

A positive corporate culture in which employees are engaged, rewarded, and supported can decrease malicious and accidental insider risks, such as data loss, data theft, insider trading, and others.

Ethical values should ideally align with an organisation’s purpose. If it does not, there will be even more increased risks.

3. Stakeholder engagement

The insider threat is not just a chief information security officer problem.

It expands across the organisation and business area and impacts all aspects of the operation, including the profitability or the ability to deliver mission readiness and performance.

Mitigating insider threats is a shared responsibility that requires collaboration and ongoing coordination across functional areas (e.g. Information Technology, Information Security, Physical Security, Human Resources, Legal & Privacy, Ethics and Compliance, Finance, and Business Operations).

This group will be responsible for defining risk tolerance, critical assets and the path forward for developing and implementing a comprehensive risk management program.

Strong executive leadership must support and help engage resistance to share data, change policy and mitigate territorial conflicts.

4. Adoption of a formalised program

A formal insider threat program demonstrates the organisation’s commitment to due care and diligence in protecting its critical assets.

A formal program is critical but essential for providing consistent and repeatable prevention, detection, deterrence, and response to insider incidents within an organisation.

A formalised program arranges the mission, scope, implementation and oversight of the organisation’s insider threat efforts. The formal program provides a measurable investment, effort, and outcome regarding the organisation’s capability and journey to minimise the risk from insider threats.

5. Board’s governance role

The Board’s governance role is pivotal in ensuring the organisation’s overall strategic oversight, particularly concerning cybersecurity and risk management.

As part of their fiduciary duties, board members must ensure that the organisation’s strategic direction includes comprehensive risk management frameworks that address potential insider threats.

In addition to strategic oversight, the Board is crucial in developing and endorsing robust security policies and procedures.

This includes setting clear guidelines for employee behaviour, data access, and incident response.

The Board must collaborate with senior management and executives to ensure these policies are comprehensive, well-communicated, and enforced throughout the organisation.

By endorsing and implementing rigorous security policies, the Board helps create a secure environment that mitigates insider threat risks, reinforcing its role in fostering a culture of security and compliance.

6. Legal and regulatory compliance

Today, we are buzzed with civil liberties and the protection of privacy.

The Board has a crucial responsibility to ensure the organisation complies with relevant laws and regulations governing data protection. It is essential to work with privacy officers and legal counsel.

Failing to address insider threats adequately can lead to severe legal and financial repercussions.

Non-compliance with data protection and cybersecurity regulations can result in substantial fines, legal actions, and a loss of customer trust.

The Board must understand the potential consequences of security breaches, including the costs associated with data breaches, regulatory penalties, and the long-term impact on the organisation’s reputation.

Conclusion

As board members, your active involvement in mitigating insider threats is essential for your organisation’s overall security and ability to recover from potential challenges.

You play a vital role in safeguarding the organisation by proactively overseeing strategies, policies, and procedures related to insider risks.

Through continuous monitoring, robust reporting processes, and a focus on developing strong policies, you help create an environment of security awareness and vigilance throughout your organisation. Your engagement goes beyond addressing immediate risks – strengthening your long-term stability and reputation.

Prioritising cybersecurity and risk management shows your commitment to protecting organisational assets, maintaining compliance with regulations, and fulfilling your fiduciary duties as a board member.

Ultimately, a well-informed and actively engaged Board provides leadership, guiding you through the complex landscape of insider threats. Your involvement ensures your resilience against evolving security challenges.

As the governing body, your investment in insider threat mitigation is indispensable. With your oversight and direction, you can prevent issues and be better prepared to manage any that do occur. Focusing on this critical area directly contributes to your organisation’s success and longevity.

Your Next Best Step

There is nothing like taking concrete steps.

Taking action is crucial to protecting your organisation’s assets and reputation.

The insider threat could be happening right now, but how would you know about it?

By implementing concrete steps, the Board demonstrates a commitment to proactive risk management and ensures the organisation’s resilience against insider threats.

Inaction leaves your organisation vulnerable, emphasising the non-importance measures to mitigate such risks.

What Is Your Next Best Step? 

Your next step is taking ownership of the challenge and prioritising it within the organisation.

  • Collaborate with management and executives to gain insight into the current insider threat risk management strategy.
  • Conduct a thorough capability risk assessment to evaluate the organisation’s capability to prevent, detect, deter and respond to insider threats.
  • Implement the recommendations and suggestions outlined in the risk assessment report.