Radar outlines the emergence of a new internal force within corporations, designed to raise awareness and prevent the potential liability that every organisation now faces from insider threat. It also covers some of the new, innovative ways that firms are protecting themselves and their employees.
Cyber strikes fear into all – corporations, regulators, individuals. It is, without a doubt, the single biggest threat in most people’s minds related to the extensive dependency on the internet, open data, personal devices and the growing availability of new services offered through the cloud. The digital environment, for all its advantages, is a landscape that is largely un-policed – the only real antidote right now is the weak hope that awareness and education will keep everyone safe. Despite the efforts to post large signposts for all as they go about this digital world (abandon hope all who enter here – be extremely careful with your data, funds, personal information – pickpockets are known to work extensively in this area), the sad fact is that right now the organised criminals who have transferred their attentions to this new vulnerability are winning with remarkable ease. Their sophistication is catching the innocent unawares and is making this trend very hard to reverse.
Close to 85 percent of the cyber risk in most enterprises is self-generated. This, in essence, means that when a malicious actor is trying to access the assets of an organisation, this ingress is enabled by an individual within that enterprise. This might be due to neglect, lack of awareness, ignorance or a moment of weakness/stress that gets exploited by the frequent and persistent attempts of the cyber criminal. It can also be more malevolent, where an employee is deliberately seeking to damage an organisation for their own benefit, or because they have become disenfranchised, and feel justified in seeking revenge for what they deem was previous unfair treatment. Some clients of Behavox use the term, “gone toxic”. The outcomes from these situations can be extremely messy.
By being introspective and looking through a different lens at the internal behavior of the enterprise, the organisation can go a very long way to mitigate its inherent risk to insiders. In financial services, the monitoring functions have been established for many decades now, growing out of the compliance and risk departments to become specialised units looking for hard regulatory breaches that have become headline items, such as market manipulation and insider trading. This can be labelled generally as a historic, post-trade analytical role.
Identifying insider threat requires a more predictive approach, an ability to recognise proactive signals of unusual behavior that are leading indicators of risk. The focus in reducing risk and potentially liability is to be more pre-emptive.
What are the generic actions that can be defined as insider risk?
Again, this particular query requires some creative thought, as the ways in which insider action can put the company in jeopardy are manifold. A list that is far from complete would include: disclosure of confidential information; IP exfiltration; reputational damage through use of slander/malicious rumors; “unexpected” leavers.
What are the behaviors that signal imminent insider risk or vulnerability?
Strong signals that can be identified most easily in communication might include an abnormally high number of outgoing emails outside normal work hours, voice records containing abrupt interruptions or notable sentiment (eg whispering, anger, celebration), or communications with unusually high negativity. This can be supplemented with detection of behavioral anomalies in more structured data such as systems/printer logs, card swipes at unusual times, even trade data and corporate registers.
Other behaviors of particular note include financial stress, which can indicate someone close to burnout (mental health issues), or who is about to make a bad trading decision, or is perhaps becoming vulnerable to a competitor/ predator who is offering this person a deal they might be unable to refuse. Unusually regular or lengthy interactions with competitors is often a very rich signal, as are instances where someone has become disengaged, no longer communicating with colleagues, coming in later and leaving earlier, and expressing “regret” in communication.
The last 45 days of a contractor or employee’s time at a firm is the most perilous for the corporation – this is without doubt the time window in which an employee is most likely to commit IP theft. It is vital that employees in the “departure lounge” are watched like a hawk. Printer logs and emails with attachments are usually the best place to start, as well as being alerted to people entering the office late at night or the weekend.
Password sharing internally and externally is a classic mistake that is so prevalent in every organisation and is relatively easy to detect; many employees are under the misconception they are just being “helpful” when sharing passwords, but this common activity exposes the organisation to enormous risk.
Are firms devoting enough resource to this internal vulnerability?
The short answer to this is “not at all”. One large firm we spoke to has 900 people working in Infosec but just 20 devoted to insider risk. There seem to be three levels of awareness and approach. The novices are looking at cyber as something that is a cost of doing business, something that needs to be addressed to appease regulators and curious non-executive directors who are asking stock questions to justify their position; the middle ground sees a much more mature approach, where firms are looking beyond the basic cases of cyber risk, focusing more on their own employees and data exfiltration by examining mail to personal domains with attachments. The really mature approach that is starting to prevail encompasses a really exacting attitude to phishing, anomalous printing activity, awareness of those who are deeply stressed and close to becoming toxic, including looking into the context and content of communication.
Falling between two stalls
One of the key problems related to insider risk is the fact that often this risk does not fall neatly as a responsibility or the domain of a particular department, function or individual. The variety of potential risk means that while different roles may identify these individual cases of risk while going about their normal day job, it rarely falls squarely within their remit or responsibility to spot, escalate and remediate these cases. Is it something for Compliance, HR, Infosec or IT? The CISO? Or senior management?
Senior management may be best placed, but generally their lack of knowledge and comfort with the modern technical environment means they need to be working in lockstep with tech teams at their firms to be effective.
Behavox divided its Compliance offering into three distinct compliance modules (markets compliance; conduct/ culture; insider risk) because the folks in compliance did not know how to deal with password sharing or IP theft – even though they know someone must value that insight and want to act on it.
People in the business need to think more about the worst case scenarios and where their individual risk lies. If IP assets are leaked, or certain people get manipulated, the loss can be existential. People are not attuned to this sort of risk yet. Who knows enough about the business to know where all the inherent risk lies?
A number of rogue traders were insider threats in the early stages of their tradecraft. Kweku Adoboli had sent out all the obvious signals at UBS before his trading became market abuse. He was disenfranchised a long time before these acts that led to his conviction. He had sent texts to his girlfriend saying “the boys have sold me down the river”, he had started to leave the office at a normal time and then return later at night and he had become totally cut off from his team, only communicating with his manager and his girlfriend, having previously been a gregarious and well liked team player. No one saw these warning signs or chose to question them, or indeed asked – in a very human way – if everything was alright with him. Firms need to be able to identify the risk to then categorise it, and then decide who must deal with it.
How can behavioral patterns complement existing defences like Splunk and Dark Trace?
Some vendors, like Behavox, have started to help organisations with a progressive approach and mature view of the extent of insider risk in their own environment. These approaches combine holistic risk profiling, behavioral models and peer group analytics, leveraging Natural Language Processing and machine learning classifiers. These threat models compare patterns of an individual to their peer groups; analyzing historical communication or log data, and building a statistical model. The system identifies red flags that can be readily categorized, escalated, prioritized and actioned.
A number of relatively advanced firms are using threat indicator software like Splunk and Dark Trace. This is an excellent first line of defense and offers infographics, metadata analysis and system logs; but it’s only the first step and firms need to be thinking about the context and content in more depth. It might be that attachments have been sent out in large numbers but of more interest is what was in them and the fact they were sent to someone the firm’s system has never interacted with before. The metadata signal can be supplemented with a behavioral pattern that shows this activity has perhaps never before happened during a weekend.
Too many executives think of cyber narrowly as ransomware or hacking. The biggest threat to your organisation might be the person sitting right next to you.
Recent studies have suggested that, on average, a breach instigated by an insider at a large corporation costs $5m to the enterprise once everything has been investigated, accounted for and remediated.
This now-universal key risk needs to be considered, identified and prevented holistically on a much larger scale than currently. Major FTSE public companies did not report cyber attacks to authorities during the global Wannacry breach in order to avoid the reputational damage. Denial and an inability to admit these vulnerabilities are not helping to crack a global problem that will best be fixed collaboratively and by matching the systemic, persistent, determined and creative approach being used by the cyber criminals themselves.