2017 was full of the most largest and damaging cyber attacks in history. Equifax, Fedex, HBO, and many other large organizations got attacked. One of the common threads in many of the incidents from the past year was that in nearly all of them, an insider was the cause. Insider, in security jargon, refers to anyone who has privileged access to sensitive data inside your organization. Insiders your employees, managers, administrators, vendors, and executives. Everyone in your organization carries a degree of risk with them, some insiders more than others.
The difference of risk depends on a variety of factors that often separates malicious insiders from negligent insiders. In the case of negligent insiders one of the most important factors is an insider’s cyber security habits while online. For malicious insiders, the variables expand a lot more. Malicious insiders may have a grudge at work, they may have been working for another organization, or have political motivations. In either case the risk of insider threats exist and needs to be managed to avoid a cyber security incident. When it comes to cyber risk management considerations need to be integrated into your risk management framework. Thankfully there are a few frameworks that organizations with mature risk management practices follow. In this article we will explore the foundational pillars of cyber risk management and how to choose an appropriate framework.
Foundations of Cyber Risk Management
Risk management in general relies on three core pillars: governance, risk tolerance, and consistent policy. Without any one of these three in place, your risk management program will likely fail. Risk management is a developmental process, no organization is mature overnight. However, whether your organization is has very mature risk management practices or you are just beginning you will need to understand the pillars of risk management. Here they will be discussed in the context of insider threats and cyber security. When it comes to information technology often managers will not place as much emphasis on security. It is for this reason, the basics of risk management covered here will integrate cyber security and insider threats.
The most important aspect of cyber risk management are your decision makers. Your organization requires experts and key managers to assess the impacts of decisions related to risk measures. Risk management must involves the C-Suite (or Directors) and needs to be driven from the top-down to ensure full risk mitigation in the organization. The International Risk Governance Council has developed an introductory guide for developing a risk governance framework.
The guide mentioned above is great for getting the basics of risk governance together, however you will need to integrate cyber security. For this it would be best to turn to the guidance from the National Institute of Standards and Technology (NIST). While the NIST Cyber Security Framework is cited as the standard for cyber risk management among large organizations, NIST has developed a guide for small business to integrate information security considerations in their risk decisions. The items to consider are: (1) what data does your business use/store, (2) what is the value of that data, (3) what technology interacts with that data, and lastly (4) what threats and vulnerabilities impact that data. These items apply to organizations of any size and should be integrated into the risk governance process.
With a governance framework in place it is now important to understand what your risk tolerance is. Business objectives often have a significant influence on how much exposure companies are willing to tolerate. Financial risk is often where tolerance is brought in, but in the context of cyber security this means insider threats, technology adoption, privileges, and much more. How willing are you to expose your data to a set of insiders, such as new vendors or strategic partnerships? If a new technology comes in that may make your operations more efficient, does it offer permissions management? Is data encrypted in-transit? These are only a few of many questions that need to be asked, the core question being is this worth the risk. You should have an established risk tolerance statement along with ranges of acceptable risk. For cyber security you need to also ensure that whatever risk you may expose yourself to, that your systems can prevent any vulnerabilities. It is advised to keep your cyber risk exposure to an absolute minimum.
Lastly, your policies need to be enforced with consistency and enforced everytime. Policy development and enforcement has a significant impact on culture. If for example a designer is caught accessing a folder they were not supposed to and have their permissions revoked until further review, then the same needs to happen if a marketing executive does the same thing. Policy and procedure are the primary means of communicating expectations with employees, vendors, and partners. Each violation of policy increases the risk that an individual has to your organization.
Supporting Insider Threat Mitigation
The three pillars above need to be supported by technology. Thankfully there are solutions now that help with cyber risk management, by way of mitigating insider threats. Some of the supporting technologies include anomaly detection, policy violations, data loss prevention, monitoring, and IT forensics. Combined the technology is able to help a risk management team develop risk profile for each employee and department. With risk profiles developed, employees can be monitoring to see who is putting the organization at the most risk. Technologies can make identification of high risk insiders far easier than relying on training will.
Preparing for 2018
Last year was one of the worst and scariest as far as malware deployment goes. 2018 will likely be even worse. You want to make sure you are prepared by properly integrating cyber risk into your wider risk management frameworks. If you have not been practicing risk management, the practices and technology identified in this article should be a starting point for you. What has been described above was based on the foundations of the Resilience Management Model developed by the CERT division at the Carnegie Mellon Institute. You can download the entire model here. Have a safe 2018. Click below to learn more about Teramind.