Stacey Champagne monitors and investigates events of employee theft, fraud, and sabotage as the Insider Threat Program Lead at Blackstone, one of the world’s leading investment firms. Radar asked her some essential questions that senior management need to be aware of as the corporate lens focuses more on the dangers that lie within.
How do you best define insider threat and risk?
An insider threat is a person who has or had authorized access to organizational assets, and used that access to maliciously or unintentionally act in a way that could harm the company. Insider risk is managing the prevention, detection, and response to/of these individuals.
What are the biggest challenges in addressing it?
The misconceptions of what it takes to “prevent” insider threats. An insider threat program is the last line of defense when other organizational processes have failed. An insider risk team can do its best to detect indicators as far to the “left of boom” as possible, but if your organization really wants to get ahead of the problem, they have to be willing to face the root cause. Often times that means addressing company culture, business practices, technology inefficiencies, etc.
Another challenge is finding the right balance of security controls so as not to impede legitimate business operations. If a company is going to block a particular behavior of concern, such as uploading documents to cloud storage, they should be prepared with an approved solution to accomplish the same goal in a secure manner. Business-justified exceptions will undoubtedly arise. Generalized policies often only work out for a few use cases, therefore it’s important for an insider threat program to gain as much knowledge about the daily workings of all roles and tailor their approach accordingly.
While every enterprise is different, in general, where are the biggest vulnerabilities and how do you perform an effective risk assessment to best place the business to protect itself?
Organizations are expected to move at lightning fast speed and SaaS is making it easy to introduce new ways of working, practically overnight. A key vulnerability for all organizations is employees leveraging these technologies and storing/sending work product through them without consulting their cybersecurity and/ or technology teams. The employee may not think they’re introducing any risk, and maybe that one application in itself isn’t a big concern; but if it can be linked to other resources, both insiders and outsiders can get creative when it comes to using multiple tools in an ecosystem to achieve their goal.
Cybersecurity teams can anticipate this potential risk and suggest mitigating controls, but they have to know about its existence first.
What methods are best to mitigate the risk pre-event, at impact and post-event?
Pre-event: Cybersecurity education and awareness – and not just once a year through a slide deck. Clear channels of reporting in the fashion of “see something, say something”. Well-defined processes and resources that instruct how to transfer approved, work-justified or personal data out of the organization. This last point will enable your insider threat analysts to focus on truly abnormal behavior, as opposed to employees simply trying to do their job.
At impact: Listen to those who are trained in digital forensic investigations and follow their directions, or let them lead the way (and if you don’t have someone in your organization that fits the bill, get one). Every decision, every conversation, matters and can make all the difference if the situation ends up in court or the public eye.
Post-event: Gather all parties involved to walk through what happened, not just with the employee(s) but on the back-end with your relevant teams (HR, legal, cybersecurity) and determine whether there should be changes to people, technology, and/ or processes to mitigate the likelihood of a future event.
Stacey Champagne is the Insider Threat Program Lead at Blackstone. She holds multiple certifications including Certified Forensic Computer Examiner (CFCE) and Insider Threat Program Manager (ITPM). Stacey earned her MS in Security and Resilience Studies with a focus on Cybersecurity Policy from Northeastern University, and a graduate certificate in Cybercrime Investigation and Cybersecurity from Boston University.