While organizations are reacting to insider threats by implementing pre-employment screenings, security education, and creating a series of policies to execute in the event of a leak, these are all reactive measures. The opportunity for security firms is in preventative tools and methods that organizations can use to prevent insider threats from coming up. This requires behavioral analysis and an understanding of people, not just new technology.
So how large is this opportunity? According to Bloomberg Government, it is a $1 billion opportunity for public sector organizations. With the private sector scrambling to remain in compliance to maintain government contracts there is no better time than right now to provide a wealth of services to public and private organizations seeking to insulate themselves from the risk of data breaches.
VARs need to understand three core aspects before seizing the opportunity in front of them. These are, what VARs know, what do clients need, and where are the information gaps? Said another way this means continuous topic analysis (security), industry-context analysis, and nudging companies beyond compliance.
Insider Threats: Current Knowledge
As of 2017, insider threats still remain the leading cause of data breaches. The insiders can be either malicious in intent or accidentally cause a breach through their negligence. Insiders can be on site employees, remote workers, and high privilege access employees. What should be emphasized is that an insider is a person, not a only technical issue. The human factor of security is able to overcome traditional means of information security such as passwords, firewalls, or key cards. Even non-privileged users are able to overcome these hurdles.
As technology was the focus of insider threat mitigation for a while, many organizations have become very aware of the importance of behavioral analysis and detecting the indicators of a potential insider threat. One can quickly get up to speed by reviewing the Common Sense Guide to Mitigating Insider Threats from CERT. Baselines need to be established so it becomes easier to detect sudden changes in behavior from insiders. With an understanding of current knowledge and best practices VARs can quickly identify some needs of clients before they get into the details of their issue. Additionally possessing the latest knowledge on insider threats will position VARs as experts in the space of information security, because of focus on the leading threat across sectors. Keeping your firm up-to-date will keep you ahead of competition when pitching or engaging clients. This also means following information security journalists, blogs, experts, and analysts to understand what is currently happening in the space that your firm is operating in.
Understanding Client Context
When engaging a client, VARs do not speak to an organization, VARs speak to people with a set of roles and anxieties. These cannot be generalize or else an effective solution will not be produced for them. Trust is the critical element here, while CIOs have their concerns it is important to be able to at least ensure the C-Suite is united in preventing data breaches. This can only happen if VARs can communicate what a data breach will mean for that executive’s department. It is important to remember the goal is to win trust of the client. This is done by instilling confidence not fear in a sensitive situation, especially if the organization has already been through a data breach.
Beyond the organization’s specific situation, to build trust clients will want to be certain that a their vendor has a deep understanding of their industry as well. This is why it is important to keep up to date on what insider threats mean for the different industries that VARs are targeting. Ensure that the data you’re basing your analysis on is accurate and you’re able to develop deeper insights than the CIO can. It will be important to speak to their latent security needs rather than the easy wins. Security is a very serious issue that requires someone who can help with process change management throughout an organization. This requires confidence and buy-in from the C-Suite, paired with the language needed to communicate the process change to middle management and education for the whole organization.
Beyond Compliance: Client Education
Unfortunately, compliance is often the motivator for getting the private sector to change processes. However compliance is produced in a reactionary process and often is behind in best practice by a few years. An example of this dynamic is when the Department of Defense, in 2016 set new requirements for contractors that specifically was made for insider threats. The problem is that what they required was out of date and seen by information security experts as a sign of not being strong enough to prevent another massive data breach. Relying on regulation will not produce a secure environment for either the public sector or the private sector.
No client is an island and as an industry there needs to be expert information security organizations, such as yours, who are taking the proactive step and providing insider threat education to client industries. Providing education cannot be done if your organization is not up to date on the latest best practices and vulnerabilities. Education can be used for two reasons at once, for the betterment of the whole community and for positioning.Client organizations need to understand the risks of not proactively detecting threats, if you’re the firm that makes them aware of that risk, you’ll reap the reward of helping them defend against it.
In the information security space the key to booting revenues and creating new business opportunities is education and trust. Ensuring that your firm is up to date on the latest vulnerabilities and best practices ensures that you can share that knowledge with the industries you engage with. This helps to build trust and confidence in a space where it is increasingly harder to find.