As cyber and privacy threats continue to evolve and relentlessly plague today’s organizations, the 2017 State of Cybersecurity Report by cybersecurity firm Forcepoint focuses much needed attention on factors that create people-based risks that can compromise even the most advanced and comprehensive cyber defense systems and privacy protocols. These insider risks are exacerbated by today’s mobile and remote workforce, which demands constant access to critical corporate data from a vast array of business and personal devices, and by an increased reliance of third party service providers and business associates.
By understanding what Forcepoint calls a “cyber continuum of intent,” today’s companies stand a better chance of mitigating insider threats. The Report notes that social sciences are “helping us open doors into a new understanding of how users and cyber criminals operate at the intersection of behavior and data,” and that “[o]nly by taking a people-centric approach to security can we better understand, manage and mitigate organizational risk.”
Categorizing Insiders by Intent
The Report grouped corporate insiders into three separate categories: accidental, compromised, and malicious, and noted some typical behaviors associated with each group.
This category applies to people who make unintentional errors. They may be inadvertent actors who lack awareness, are poorly trained, or act negligently. They may suffer from fatigue or burn out, making them susceptible to committing errors, like hitting the wrong computer key and sending documents to the wrong person. Convenience seeker insiders break the rules, but not maliciously. They look for work-arounds or store data where they shouldn’t. They may feel that they “own” certain types of corporate data, like customer lists, templates, and scientific research, and they don’t believe that a cyber or privacy mishap could happen to them.
This grouping applies to insiders whose credentials have been stolen and used by an outside attacker. The insider may have been the victim of a malware phishing scheme, or their network credentials may have been stolen by an outsider who then impersonates them. The Report notes that passwords falling into the wrong hands remains one of the leading causes or network vulnerabilities, with 63% of known data breaches involving weak or stolen passwords.
Two types of malicious insiders were identified: rogue employees and criminal actor employees. Rogue employees often have a grudge against their employer. They may have been model employees with long corporate tenure. They may feel that they are underpaid, or a recent situation — such as a bad performance review, an impending transfer or layoff, or a demotion — may trigger malicious behavior. They may copy, steal, delete, or corrupt data, or make unauthorized purchases. They may continue to access corporate networks after they’ve left the company. Some rogue employees are influenced by external parties to steal corporate data. Criminal actor employees may conduct corporate espionage or work for foreign nationals or organized crime syndicates. These individuals are often motivated and knowledgeable, and their access to the company’s offices and networks can make them even more dangerous than external threat actors. They may sell corporate data or offer private information, such as a home address or social security number, of a high ranking corporate employee to the highest bidder or tabloid.
Factors Influencing Insider Intent
The Report identified key social factors that can affect any given insider’s cyber intent, including:
- Work environment;
- Ability to handle stress;
- Financial situation;
- Satisfaction with the company;
- Security awareness;
- Personality traits;
- Attention to detail;
- Confidence level;
- Time with the company; and
- Knowledge of best practices.
The importance of these factors cannot be underestimated, since a minority of attackers deliberately enter an organization with a malicious intent. According to the Report, “the majority of malicious insiders fall into the rogue or criminal actor categories because of either internal or external pressures and dissatisfaction with their job.”
Combining Technology and Social Sciences
The Reports notes the 2016 warning by Douglas Maughan, head of cybersecurity research at the US Department of Homeland Security: “We’ve had too many computer scientists looking at cybersecurity, and not enough psychologists, economists and human-factors peopled.” Although traditional security controls were not designed to gain visibility into user behaviors, newer technologies have been developed to help companies to better understand human behaviors and intent when interacting with corporate data. But, the Report states, technology alone is not enough. It notes the results of a 2017 Forcepoint survey of 1,252 cybersecurity professionals worldwide, which found that only 40% of respondents felt that they had extremely good or very good visibility of critical business data across company and employee-owned devices and services. Only 31% felt that big data analytics tools were extremely or very effective in helping them to understand human behavior, and just 28% said that those tools enabled them to understand intent.
Combining newer technology with an enterprise approach focused on human factors and the circumstances that can give rise to harmful cyber intent is likely to be most effective in preventing and mitigating insider risks. The Report concludes, “Modern and proactive HR processes must play a role, both from a detection and prevention standpoint. The trick, however, is to support HR via the intelligent use of analytics and mature insider threat programs — and vice versa. Technology is not the end of the story, but it is the enabler that brings it to life.”