Insider Threat Awareness: Where Challenges Meet Dilemmas

If you ask any security expert about the primary source of cybersecurity risks, most of them would say that it’s human behavior. Whether it’s through intentional or unintentional actions, humans are ultimately the root of almost all security risks, and it’s not the hooded figures depicted in television and movies that cause the most problems.

Most cybersecurity risks come not from criminal organizations or “script-kiddies” hacking away at external company resources, but from within the organizations themselves. They are primarily unintentional, such as when a developer introduces a vulnerability in the code, a financial analyst uses an easy-to-guess password, or the CEO falls for a phishing attack. But there are also intentional malicious actions, such as when a disgruntled employee is lured by a competitor to expose the company’s intellectual property. Such cybersecurity risks, known as insider threats, make it much easier for any criminal agents to reach their target and obtain valuable sensitive information.

Out of all the aspects of cybersecurity in an organization, it’s probably the insider threats that are the most challenging to handle, and one of the reasons is that the level of insider threat awareness in many organizations is severely lacking. Businesses are most likely to focus their entire cybersecurity efforts on getting tools such as antivirus software, firewalls, and application/network protection, all of which aim to primarily make it more difficult for an external attacker to penetrate the organization’s IT environment or to spot such attempts and prevent them. If the company focuses that much on external risks, they expose themselves to serious insider risks. A balanced solution that mitigates external risk vs. insider threats is needed.

The difficult balance between trust and control

One of the most challenging dilemmas for any kind of insider threat program is how to strike the perfect balance between trust and control. Unfortunately, effective insider threat awareness and mitigation requires a certain degree of supervision, and such supervision may not be appreciated by the employees, who would prefer to work in an environment where they feel that they are trusted and free to do as they like. This is often the area where human resources managers clash with security managers, as one of the goals of human resources is to help retain employees, and the main goal of security departments is to make certain that security risks are under control through effective programs that may make employees less happy.

Nowadays, employees are often unhappy about any type of limitations imposed on them by the company when it comes to such things as computer control and resource access. An employee would prefer to have full administrative rights to their company laptop or work from their comfortable home desktop computer with two monitors, especially if they’re a technically-focused resource. Unfortunately, this highly clashes with internal security, and what may be misinterpreted by employees as a lack of trust is often a regulatory obligation.

Last but not least, employees will not be happy working for a company if they feel that they are constantly suspected of either being potentially malicious insiders or of being irresponsible and falling for scams that could expose company information. Therefore, insider threat mitigation and awareness programs must be very carefully designed so as not to make the employees feel like they’re being constantly watched, or prevented from doing even the simplest actions on their computers. Otherwise, they are likely to start looking for other work opportunities, causing the organization to have to spend time and money finding and training replacements.

The balance highly depends on the organization. A private company can be more lax in this approach than institutions dealing with national security, such as the Department of Defense (DoD). That is why programs associated with the National Insider Threat Task Force, like the Center for Development of Security Excellence (CDSE) – a Defense Counterintelligence and Security Agency program – teach that every potential security risk, such as a colleague mentioning their potential gambling addiction, must be reported. A similar approach could be seen for example in the Defense Contract Management Agency (DMCA) webpage post in 2021, which bluntly states, “See something, say something.” On the other hand, if such harsh recommendations were given to employees of a small private company, it could cause them to feel very uneasy and perceive it as an incentive to become informants against their colleagues, and could cause the company to lose very valuable resources.

Insider threat awareness training: the good, the bad, and the ugly

Good insider threat awareness within the organization requires training for all employees, and the sad truth is that this topic is often skipped or skimmed through in onboarding training courses and exercises. Also, let’s be honest, who truly pays attention to those obligatory onboarding videos and simple questions you must go through when starting a new job, and who remembers them even a day after? Most of today’s training is ineffective and not perceived as valuable by those being trained.

Implementing effective insider threat awareness training is much more difficult than teaching employees about external threats because it’s very easy to portray the external “hooded figure;” the evil hacker who wants to use you and take the company’s money. It’s not so easy to portray a potential colleague who was bribed by a competitor to sell internal secrets or another who made a mistake and accidentally exposed the internal database to threat actors. Therefore, insider threat awareness training content must be prepared very carefully so that the trainee realizes that it may be them that the video is talking about, but at the same time they don’t feel offended by it.

Finally, if the company wants more than just to deliver obligatory training to meet regulatory compliance, a simple training video is nowhere near enough – its training effectiveness is very low. Even simple multiple-choice questions at the end, which can be attempted several times, are not going to help any kind of security awareness within your organization. Unfortunately, security training and testing must be made at least a bit difficult for the trainee, which may mean making trainees less happy and, for example, upset about wasting their time that could be otherwise spent on “more important job tasks.”

So, what’s the perfect formula? It must, of course, be adjusted to the requirements and the specifics of the company, but each employee in your organization should undergo obligatory security training. Training should include a strong focus on insider threats, insider threats should be portrayed so that the trainee is aware but not offended that it’s potentially them that the training is talking about, and the training should be followed by a relatively difficult test that, if failed, would require the trainee to work together with a proctor instead.

Striking the right balance through DLP

It seems like insider threat awareness is all about problems and dilemmas, and it feels like it’s difficult to handle them well. There is, however, a class of tools that may help you strike that right balance – Data Loss Prevention (DLP) software. DLP lets you implement protection and alerting exactly where it’s needed and in a way that is least likely to cause employees to feel untrusted.

The key concept behind DLP is to make it impossible for employees to perform tasks that are likely to cause risks. Here’s an example of an employee who works with sensitive data, such as patient information, in a health clinic. To work with this data, the employee must be trusted enough to access it, and having access only from a work computer with a strong password and biometric multi-factor authentication is unlikely to cause that employee any concern. However, once the employee has access, they become a potential insider threat. For example, they may decide to send that patient data to their private email so they may have a look at the data on their personal phone while they’re commuting. Such action is a breach of regulatory compliance and may cause that data to be exposed to third parties, for example, if the phone is lost or stolen and not properly encrypted/locked.

DLP software, in such a case, acts as a barrier against those risky actions. The employee in our example could work with the data, openly using their work laptop and processing it in any way. However, if they try to send it via email to their private address or share it to their private accounts or devices via social media or messaging tools, they will be stopped from doing so. Additionally, DLP software can be configured to immediately raise an alert with the security/IT department, which can review user activity logs or discretely turn on stronger monitoring without the user’s knowledge and without the risk of the user feeling that their privacy rights are violated.

If you want insider threat awareness done right, DLP software should be high on your priority list. Endpoint Protector by CoSoSys is specifically tailored to focus strongly on helping you discover and mitigate insider threats. You can request a demo here.