Some recent data compiled by Mike Gips (principal at Global Insights in Professional Security (GIPS) and formerly of ASIS) his colleague Lou Mizell suggests that the cost of insider threats globally is on the low side approximately $1.3 trillion dollars annually. Yes, that is Trillion with a “T,” and that is the low end of the estimate! All businesses are trying to manage risk, but a specific approach common to US Government labs like Los Alamos, Sandia, and Argonne is referred to as a Vulnerability Assessment. We held a recent webinar in our series on insider threats with Dr. Robert Johnston, author of the upcoming book, “Vulnerability Assessment: The missing manual for the missing link.” The key difference between the vulnerability assessment, and other types of security assessments, is the idea of envisioning the problem from the vantage point of the “bad guys.” You still do the penetration tests, the network scanning, security audits, red teaming, etc. but you also need to approach it a different way. All threats and risks are not results of vulnerabilities. Severe weather may be a risk and a threat, but it is not necessarily a vulnerability of your business. Risk assessments typically include vulnerability assessments and threat assessments. However, vulnerabilities are things you must address with imagination, and with consideration of the interaction between risk, threats, and your organization.
As an example, many companies do pre-hire background checks but don’t do them on an ongoing or periodic basis. The risk is that you hire someone that will be bad for your business, maybe a thief, someone with drug or alcohol problems, people with a history of violent behavior, etc. The vulnerability in the security system is that you never check again. In reality, people and their situations change over time and someone with a clean record can also become a threat. So what do you do to address the vulnerability? Potentially you re-do the background checks periodically, or at random, or for certain sensitive positions.
So how do you keep an ongoing handle on your vulnerabilities from insider threats? According to Dr. Johnston, the key is to have a good security culture. Security needs to be everyone’s concern, and it needs to be shaped by a common focus on the organizations’ security needs, not in a punitive way, but in a, “we are all in this common endeavor” way. People can notice that John or Mary seems stressed out lately and check in with them out of concern instead of being a Big Brother (or Big Sister). You can also strike that balance between being Big Brother and having a healthy security culture through transparency about what is being monitored inside and outside of the company and why. At iThreat, our threat intelligence programs help companies maintain that constant vigilance and balance by primarily looking for things outside an organization’s four walls, and virtual walls (networks) in the open and closed internet space. Companies need help gathering intelligence, but they may not want 3rd parties to assist with internal data collection. There are many facets to healthy security culture, but these are a sampling.
It was a fascinating discussion, and if you would like to learn more, you can view the recording here:
Sponsored by iThreat – Insider Threat Mitigation: A Vulnerability Assessor’s Perspective, Roger Johnston with Mike Gips.