Insider Threat Remains a Top ConcernIndia Inc. Shares Insights, Recommendations on Insider Risks
In recent years, reports have highlighted the insider threat as being one of the biggest concerns for security practitioners not just globally, but specifically in India. I had the opportunity to speak with a large group of practitioners in Bengaluru several weeks ago on the subject to explore this premise. The focus was on how big the insider threat is in India and how enterprises are addressing the issue.
The discussion took place at The Data Breach Summit, organized by ISMG in Bengaluru, where I was the moderator of a discussion titled "InfoSec Conversations," conducted in the world café format. The participants were all security professionals; practitioners from Bengaluru and other parts of India, as far north as the NCR. (Also See: Mobile Security: Still a Leap of Faith)
While you may incentivize good behavior and adherence to policy on the one hand, and penalize via punitive measures on the other; if it is possible to get away with it, chances are, someone will attempt to.
Not surprisingly, there is near unanimous agreement from our relatively large sample for the discussion - close to 60 participants - that insider threat is, in fact, their biggest challenge. The conversations have resulted in some prominent themes being repeated across the group, as well as some subtler insights, which are shared below.
Insider Threat Ranks High
Participants agree insider threat impacts the brand, IP, business sensitive data, and is very much a legitimate business risk for India. While technological and point solutions might be in place to catch some of these threats, the processes, policy and enforcement have not caught up in their maturity. Our discussions suggest that the nebulous policy structure itself is cause for concern for many organizations, because this means that the correct incentive or punitive deterrents are not being formulated, much less implemented, to thwart insider threats.
A clear example seems to be the cellphone and mobility wave. Organizations are challenged to come up with feasible ways to segregate business and personal information and interactions. And then enforcing these policies. Many companies choose to deal with the mobility aspect of the insider and data security challenge by simply mandating the use of separate devices for business - owned and managed by the organization. This is admittedly a compensatory control and does not address the core issue, which is the human element.
Insider fraud comes in two broad flavours: one is the deliberate attempt to defraud one's organization, and the other is an individual inadvertently becoming a conduit for fraud, or a risk vector for an organization through lack of awareness or negligence - The naïve employee that gets pwned. (Also See: Insights on Detecting Insider Threats)
Insider threat has a direct financial impact, and every company is cognizant to this fact. "For instance," says Sanjay Aurora, Managing Director, APAC, Darktrace, who was part of this discussion, "If I lose my IP today, I'm finished. Insider threat is very legitimately a business-critical issue. And the bigger challenge here is the inadvertent risk from naïve, unprepared employees."
Practitioners I have spoken to agree unanimously that the insider threat remains the biggest challenge for India Inc, ranking above other contemporary issues today such as APT, DDOS, Ransomware and others, even for small enterprises. For most organizations trying to combat insider issues, the effort-to-risk ratio seems to be high. Maintaining basic hygiene is the bare minimum organizations need to do.
Low on Awareness, High on Sensitivity?
Employees/insiders have easy access to information, whereas covering every base and identifying every insider risk is a difficult proposition. Behavioral analytics might help in identifying artifacts and anomalies that malicious insider activities might throw up, participants agree. However, as with a determined external attacker or an APT, a determined insider is dangerous and will likely find ways to circumvent controls and avoid detection - especially given the level of direct access they have. An insider with malicious intent is not a blind threat actor, and has the advantage of sensitive inside information - full intel on business practices and loopholes, and knowledge of individual personalities and behavior patterns.
However, practitioners say that in many cases organizations in India are sensitive about monitoring employees, believing this might lead to an erosion of trust and resentment if employees are subjected to a zero-trust environment. Many choose to brush these issues under the carpet. This isn't the case across the board - mature organizations are opting to monitor individuals working in high privilege environments, irrespective of any morale issues.
But, while intentional insider fraud can be dealt with using people, process and technology, unintentional and inadvertent insider risk remains the unknown, practitioners agree. Awareness and employee education is key here. The discussions at large seem to indicate that most organizations in India are at different stages of maturity when it comes to educating employees. With technology enabled business, IT/ITES and regulated verticals on one end, petering out to verticals like manufacturing and others, including the SMEs space. (Also See: What is Unintentional Insider Threat?)
Most agree that technologies such as DLP alone cannot alone be an effective control to handle insider risk. It has to be a workable combination of business and technology measures to combat all aspects of the insider issue. Visibility helps here, and one solution is to leverage as much analytics as possible, attempting to build a comprehensive picture of the organization's business environment and risks. Having controls such as role-based access management and DLP certainly cannot be ignored out of hand, however following operational best practices, above and beyond technology, is a must.
The key is to have a holistic approach involving all business stakeholders; to communicate the awareness of good business practices; define responsibility, transparency and accountability; and finally to prescribe penalties, whether internal/diciplinary consequences or legal action.
One recommendation is to publish the do's and don'ts for employees, and clearly defining and communicating the disciplinary action required in such cases. Some have found it effective to conduct drills and mockups of such insider breach situations to determine where the gaps are. This also helps in ensuring that all stakeholders are communicating efficiently in such scenarios.
That the human element is the weakest link in the chain has always been one of the biggest clichés in security. But it is also the one issue with no solution in sight. More automation is the key, maybe. But even so, while you may incentivize good behavior and adherence to policy on the one hand, and penalize via punitive measures on the other; if it is possible to get away with it, chances are, someone will attempt to. (Also See: How to Identify the Insider Threat)
It ought to be a sobering thought for any practitioner that as long as business exists and depends on technology - which is to say the foreseeable future - human nature being what it is, there seems to be no permanent and complete solution to insider threats. It promises to remain a vicious carrot and stick scenario. The bright side is practitioners needn't every worry about being out of work.
Watch out for more such discussion at our upcoming summits in Mumbai, Delhi, Dubai & Singapore, on a wide range of contemporary information security issues. Our attempt with "InfoSec Conversations" has been to let all attendees at our conferences share their voice in building a candid, ground-zero image of the security landscape in their geographies. If you have attended these session at our previous summits, do share your feedback using the email link above. You can suggest topics, themes and what we can do better. If you'd like to attend such a session, keep an eye out for our next event in your region. See you there!