On August 22, Carnegie Mellon University’s Software Engineering Institute (SEI) hosted a webcast with Dan Costa: Institutionalizing the Fundamentals of Insider Risk Management. The discussion focused on the practicalities of Insider Risk Management programs and procedures becoming embedded within an organization’s culture, covering topics such as inter-departmental communication, determining what constitutes a critical asset, and the risks and rewards of AI in the risk mitigation sphere. The conversation emphasized the importance of having both traditional mitigation tools like Endpoint Security software, and proactive, people-oriented solutions.
Institutionalizing Insider Risk Management
Insider Risk Management (IRM) is the act of controlling data security risks that originate from within one’s own organization. Institutionalizing IRM refers to the controls, configurations, policies, and procedures of IRM becoming part of the fabric of the organization. The goal is for standard Insider Risk Management processes to be ‘the way things are done around here.’ IT professionals and data security experts want the behaviors and process to stick, and become part of daily operation within the organization.
People and Risk Management
A theme reiterated throughout the webcast was that insider risks are not technology problems, they are people issues. Endpoint protection software, top-notch physical security, and cutting-edge hardware cannot be expected to wholly compensate for issues that stem from human error or malicious intentions. Many insider threats can be boiled down to miscommunication between departments within the same organization. For example:
- Has HR alerted IT that an employee has been fired and his access to important systems needs to be revoked?
- Does an employee still have access to sensitive financial data from a project she is no longer assigned to?
The IT team’s job is to manage the technical controls and allow access when someone needs it, not to identify who should or should not be given this access. It is up to HR and management to make choices as to who needs authorization and communicate those changes to the IT department in a timely manner.
There is a great risk of such miscommunication if the entire IRM program is spearheaded by one charismatic and engaged leader. If that leader retires or leaves for whatever reason, non-codified changes to the risk management system could collapse. A more sustainable IRM model must be adopted.
Limited Resources
With limited resources, how can an organization create a stable Insider Risk Management plan that can be institutionalized easily? The first thing to do is check your organization’s security posture in commonly exploited areas. Are there noticeable weaknesses?
Once you know where improvements can be made, consult the research to begin shoring up your defenses. SEI created the Common Sense Guide to Mitigating Insider Threats from research done over the course of more than two decades. This guide can form a good starting place for an overhaul of your IRM plan.
For example, in the webcast, Costa outlined the importance of institutionalizing an understanding of what must be protected. IT cannot defend critical assets if they are not informed what those are, and who needs to have access to them.
Material is generated constantly — an organization must ensure that their IT team can properly credential new hires and secure assets. This requires HR, management, and other departments to keep IT informed about new sensitive data and regularly update records of which employees need access to what resources.
All sorts of factors may determine whether material is critical or not; geopolitical stressors, project timelines, competitor actions, or regulatory updates can all play a role in the ebb and flow of necessary data protection.
When IT is properly informed, it can serve as the action arm to identify suspicious activity, remove threats, and maintain a proper defensive posture using the tools at its disposal. The IT and Data Security teams are integral parts of a strong Insider Risk Management plan.
Tools for Success
There are many unique options for mitigating insider threats. Physical safety devices, such as locked storage for hardware and paper files, are a tangible means for protecting sensitive data.
There are also software tools such as DriveStrike that can help protect endpoints. These tools perform vital functions like Remotely Locking devices, destroying sensitive data on devices that have been taken without authorization with a Remote Wipe, and managing device encryption.
A good insider risk management plan will combine insights from security software, physical data, HR information, telemetry from supervisors, and regular audits to create a full model of behavior as it comes to establishing baseline employee behavior. This baseline will allow things that end up out of the norm to be picked up by IT staff, or an autonomous software that keeps track of changes.
Data security is evolving constantly, so it is important that IRM plans are not designed around one specific software, form of hardware, or configuration. It is costly and time consuming to create a new plan every time upgrades are available. A good Insider Risk Management plan is tool agnostic, meaning it does not depend solely on any one tool to complete its objectives.
It is never too late for an organization to begin writing their technology requirements in a tool agnostic way! Shifting to this method of recording configurations and requirements will save time and money in the long run.
Working With People
No organization can manage risk to zero – every human who is brought into an organization to perform a function gains access to material at some level, and can make mistakes or act in a way that exposes that data to unauthorized parties. Creating an Insider Threat Mitigation Plan means that multiple, researched-based methods are used to secure critical assets and sensitive information. Consider:
- How could a threat actor access this information?
- What is the likelihood this information will be used incorrectly?
- How would the incorrect use of this information impact the organization?
The growing use of AI means that more and more critical assets are being accessed or monitored by autonomous programs. Similar defensive steps can be taken to avoid risks, even if the Insider is a program; establishing baselines, watching for abnormal behavior, and requiring human engagement to access certain material or perform certain actions can serve to reduce this risk.
Insider Risk Management cannot be accomplished solely with hardware and software — as insiders are often people, relational methods of managing risk are a must.
Having the trust of your employees is essential. Without a clear understanding of what information is being collected, and for what purpose, anger and frustration can develop. For example:
- Why do you need to be reading my emails? This is a violation of privacy!
- I think the public needs to know about this information! Why is it being kept private?
- Having access to this information would make my job much easier! Why can I no longer access this data?
Any change to an Insider Risk Plan needs to be phrased clearly, stressing the importance of strengthening an organization by these protocols. The trust and camaraderie in your organization is important to allow for employee buy-in, which is essential for institutionalizing of these actions. If the goal is not clear, trust will be damaged.
Individuals in a company are less likely to inadvertently or maliciously act against an organization by taking data if they feel they have a strong relationship with their co-workers and organizational leadership. Costa discussed how positive controls, such as increased internal support, are just as important as negative or deterrent-based controls in this arena. Taking proactive steps to resolve workplace conflict, and establishing trust across an organization will aid in institutionalizing updates to your Insider Risk Management Plan. Offer data privacy and security training, and clearly outline the IRM plan and why it is essential.
Creating an Insider Risk Management Plan
Costa emphasized in his presentation the importance of having a tool-agnostic, research-based Insider Risk Management Plan to secure critical assets within an organization. Today is a good day to assess your organization’s current plan and begin institutionalizing changes that will secure your data for years to come!