September is Insider Threat Awareness Month and we’re celebrating with an interview of our Insider Threat Services Lead, Nazia Khan.
What fuels your passion for delivering insider threat services?
There’s been a lot of talk for a long time about Insider Threat, but companies have only started getting serious about it in the last several years. I love being on the forefront of something "new."
The other reason I get excited about Insider Threat is the social and behavioral science aspect of it. I always found sociology and the study of human behavior fascinating. Crafting security solutions that address the unpredictable human behavior element of the insider challenge makes it so interesting.
What is the most significant thing you think other cybersecurity professionals can learn from the Carnegie Mellon’s ITVA certification program?
Learning from real insider threat cases, not just reading about hypotheticals, really drove home the realization that organizations can put things in place, such as training, monitoring, and policies, to prevent malicious and non-malicious insider activities.
In your experience, what is the biggest misconception among organizations when it comes to managing insider threat risk?
Many companies believe most insider risk is maliciously motivated. The truth is that employees, with no malicious intent, are unintentionally posing the greatest risk to a company. A lot of the time it's users who are unaware they're violating a policy. A classic example is when an employee leaves to work for a new company and takes work products they created with them. This happens because they are unaware of—or misinterpret—the rules that govern what’s theirs versus what belongs to the company. It’s wrong, it’s risky, but it may also be unintentional.
What about the employee who knows what they’re doing is wrong, but doesn't care?
This is where technology and culture come in. A monitoring tool is important, but companies can’t manage insider threats just by plugging in a tool and monitoring people's behaviors. There needs to be strong organizational participation—everyone needs to make safeguarding their company’s assets, IP, network, etc., a priority. And so much of the non-behavioral aspects can be addressed with technical controls, and that's something that needs to be understood when thinking about building out a program. It’s important to promote a culture where employees are a part of protecting the work they produce, the building they work in, and the colleagues they team with.
When a client wants to put an insider threat program in place, where do you start?
Our approach is to meet them where they are—see what they have in place and figure out how we can build on existing processes and tools to make them work for insider threat. It's very daunting to think about starting a new program, or assigning resources or buying tools, especially if they don’t have the budget. We’re all about building on what clients have, then we chart out a long-term plan, identify what they are willing to commit to and when, and help them get there step-by-step. I think this approach is what makes our service offering so unique.
What’s a critical piece to insider threat program success?
Training and awareness are key, along with using the right vocabulary. When employees hear “insider threat” they might think they're being targeted or watched. Training and awareness should focus on helping employees see the role they play in making sure the company and its assets and information are being protected.
Beyond individual employees, it's really important to train the insider threat stakeholder business unit members. HR, analysts, legal, etc. should all be well-versed how their functions relate to the overall insider threat detection and mitigation program. This is important because some of the same indicators that might lead to an insider threat investigation can also be indicators of potential workplace violence or suicide and it is another engagement point that can get employees the right assistance before a risk becomes a significant issue.
What tools should organizations invest in for their insider threat program?
When organizations think about starting an insider threat program, many immediately think the only way they can start is to purchase a UEBA tool. But that's not always feasible for multiple reasons.
First, UEBA tools are very expensive. Second, it takes months to years to get it fully integrated into an environment. And third, companies may not have buy-in from senior leadership to purchase the tool immediately.
It’s more practical and resourceful to consider the current technologies before making new investments. What tools and programs does a company have that can be leveraged for an insider threat program? Can monitoring tools be configured to reduce your risks? My team really enjoys taking a deep dive into a client’s toolset and showing them how configurations can be strengthened and tailored to insider threat use cases.
Your insider threat program may be closer than you think.
Meet with Nazia and the team to discuss quick wins that could advance your insider threat program objectives.