Recently, the federal Office of Management and Budget (OMB) unveiled its Cybersecurity Strategy and Implementation Plan. Among many things, the report highlighted the risk of insider threats.
OMB said federal agencies too often focus exclusively on outsider threats, and rarely give enough credence to threats initiated inside the organization. According to Gartner, more than 70% of unauthorized access to data is committed by an organization's own employees. And a recent survey of IT managers sponsored by Symantec found that 45% of respondents said they have been targeted by an insider threat in the past year, and 29% report that their agency has lost data as a result.
OMB’s plan calls for federal agencies to embrace stronger identity and access management, including the use of Personal Identity Verification cards, and to bolster employee training on security issues.
Insider threats are a significant reason for concern to private sector organizations, too, and savvy CIOs know they need to be addressing this issue as well. Fortunately, the Symantec survey also indicated that organizations are warming up to the fact that they need to protect themselves from threats posed by insiders. Seventy six percent of respondents to the Symantec survey said that they are more focused on combating insider threats today than they were a year ago, and 55% said that their agency has a formal program in place to address the issue.
What can CIOs do to prevent insider threats?
Experts suggest CIOs take a multi-pronged approach to preventing insider threats, starting with careful hiring practices and background checks.
However, many insider threats actually carry no malicious intent, but instead are the result of weak access controls and a lack of employee awareness. CIO should therefore also provide education and training throughout the organization, from entry-level employees all the way up to the CEO.
“Training is most effective to better understand and prevent unintentional threat risks -- from top to bottom. Every user is a critical part of an agency's cyber defense. In many ways, they are on the front line," said Ken Durbin, unified security practice manager with Symantec's public sector division. "The more often agencies remind their employees to update passwords, and other protocols to prevent breaches, the more likely they will be to comply and be willing to help defend the network.”
In addition to training, CIOs can conduct an audit to determine which data and systems within the organization need the strongest protection. Based on that assessment, they can then prioritize and establish matching security, access, and system monitoring policies.
Organizations can also employ a variety of technology solutions to help enforce data access and protection. For example, Identity and Access Management systems can be used to prevent unauthorized users from gaining access to systems, Data Loss Prevention Systems can be used to restrict what employees can do with information, and Privileged User Management Systems can be used to control which enterprise systems users have access to.
One caveat: CIOs should also be careful not to introduce security controls that restrict employees so much that they have to recruit to unauthorized processes to get their jobs done.
Finally, CIOs should plan to conduct regular, detailed security audits as well as run regular background checks on employees who have access to sensitive data.