We can’t all manage the insider threat like Willy Wonka!

Managing the threats from within

As a child I have fond memories of reading Charlie and the Chocolate Factory and when I was recently invited into a local school to assist with children’s reading, I found myself once again with this book in hand and lost in the wonder of Wonka’s chocolate and finding the golden ticket. What a glorious read.

It was during the reading of one the preliminary chapters that I realized I was losing concentration and thinking about the paragraph I had just finished and its relevance today in managing the risks posed by the insider threat within our companies.

The passage was as follows:

Grandpa Joe – ‘You see, Charlie,’ he said, 'not so very long ago there used to be thousands of people working in Mr Willy Wonka’s factory. Then one day, all of a sudden, Mr Wonka had to ask every single one of them to leave, to go home, never to come back.’

 ‘But why?’ asked Charlie. ‘Because of spies.’ ‘Spies?’

‘Yes. All the other chocolate makers, you see, had begun to grow jealous of the wonderful sweets that Mr Wonka was making, and they started sending in spies to steal his secret recipes. The spies took jobs in the Wonka factory, pretending that they were ordinary workers, and while they were there, each one of them found out exactly how a certain special thing was made.’

Spies. Industrial espionage. In short, Mr. Wonka was being ripped-off by an aggressive insider threat agenda driven by the competition. His trade craft, trade secrets and IP was walking out of the door and being replicated by the unscrupulous competition. Wonka’s response? Sack everyone. Close the gates. Employ an army of Oompa Loompa’s.

(Just on the actions of Wonka and employing the Oompa Loompas’s - firstly, why would a company seek to remove its most valuable asset, its employees – what folly! Secondly, it contravenes every legal employment law known to industry (clearly absent in 1964). Thirdly, Wonka was clearly not running a robust Operational Resilience / Security function that had a controls’ based framework to secure his assets, ideas and intellectual value. Finally, the recruitment Oompa Loompa’s is not just a scary notion because they appeared from nowhere complete with bright orange skin and green hair but because they’re minions with no name who live within the factory under a paternalistic protection relationship with Mr. Wonka. Strange indeed, and it reinforced Mr. Wonka’s inability to recognize the talent of the staff he employed and the role they can play in managing an insider threat program).

What is an insider threat?

Back to the insiders in Wonka's chocolate factory, who are they? The CERT definition of an insider threat is ‘the potential for an individual who has or had authorized access to an organization's assets to use their access, either maliciously or unintentionally, to act in a way that could negatively affect the organization’. This definition covers;

-      Malicious and non-malicious (unintentional) insider threats

-      Cyber and physical impacts

From the definition it is clear that even the well-intentioned employee or contractor can present himself or herself as an insider threat, simply by clicking on a hyper-link that injects malware into the OT or enterprise network. According to the Ponemon Institute’s “2018 Cost of Insider Threats” report, the average cost of insider-caused incidents was $8.76 million in 2017 — more than twice the $3.86 million global average cost of all breaches during the same year.

Reading the Oliver Wyman report - The Increasing Threat from Inside - it states nearly 75% of companies believe they have appropriate controls to mitigate insider threat – but more than 50% of companies had a confirmed insider attack in the past 12 months.

Why would someone seek to carry out an insider attack?

This is not a straightforward question and motives are numerous and complex. However, the below shines a light on just some of the indicators of a potential insider;

• Ethical flexibility
• Reduced loyalty
• Entitlement – narcissism – ego
• Introversion
• Greed / financial need
• Intolerance of criticism
• Self-perceived value exceeds performance
• Vulnerability to blackmail
• Pattern of frustration and disappointment

What should Mr. Wonka have done to prevent the loss of his trade secrets?

Managing insider threat is a complex, multifaceted and cross-functional exercise that will reach into most if not all functions within your company. Having a ‘policy and standards stack’ is not enough. There is difficulty in spotting the threat, which is why there is a premium placed on process and education, over that of technology.

Implementing an effective insider risk program requires a design tailored to the specific culture, processes, and risks of your organization. It starts with the identification of the risk exposure and the business impact of the risk. Once the “crown jewels”, the most important assets (physical and / or virtual) and associated insider risks are identified, a pilot can be designed to mitigate these risks. It is important to start small and focus on a clearly defined high-risk employee sub-group to work through the organizational issues that need to be solved.

The Common Sense Guide to Mitigating Insider Threats (fifth edition published by the CERT Insider Threat Center) offers a guide to best practice. Some of the key practices from the document include the following points, and the first point is arguably the most important;

-     Know and protect your critical assets

-     Create a culture of awareness throughout the company. Develop training from the Board level down. Create focused leadership sessions that enable leaders to identify the insider behaviors.

-     Develop the governance framework to formalize an insider threat program

-     Develop repeatable and reportable processes that capture suspicious behaviors from the point of hire to fire

-     Have a social media monitoring program

-     Create a culture of ‘it’s OK to say’

-     Create a robust access rights management process for data and systems

-     Close the doors to unauthorized data ex-filtration

-     Monitor and control remote access

-     Extend your controls and awareness to 3rd parties

-     Enforce separation of duties and least privilege

In addition to the above, there are key success factors for the an effective insider threat program. Understanding what contributes and supports success is fundamental in measuring and reporting progress. Whilst these factors are numerous, the five listed below highlight why success is not just about controls;

1. Governance and organization: Clear articulation of the oversight and agreed operating model
2. Execution and program management: Processes and controls that cover the end-to end lifecycle of insider risk management in line with the organization’s risk appetite
3. Data, technology, and tools: Foundational capabilities that support the management of insider risk
4. Information sharing: effective cross-functional interaction model to address legal, ethical, cultural, and privacy concerns, and understand what is required to “get to agreement”
5. Continuous improvement: Mechanisms to integrate learnings from past events and to evolve the program in line with the changing risk exposure

In Conclusion

An insider threat program is crucial for any organisation. Designing and implementing an effective solution is vital to securing that businesses most valuable assets. There is an upward trend of insider threat occurrence and its prominence and relevance means it simply cannot be ignored. Implementing the right program will yield clear benefits and positive results. Take a proactive approach to managing insider risk – start small, but start now. Create a a program based on a culture of honesty, integrity and ethics. Employees will identify with these values and as a result, will embrace the insider threat program and its ultimate aims and objectives.

It would appear that in 1964 Mr. Willy Wonka (aka. Mr. Roald Dahl) took rather a kinetic and agricultural approach to securing the intellectual value and commercial opportunity of his company.

Fast forward to 2019 and the real world, the management and mitigation of insider threats are as pertinent now as they were then. However, we now have the benefit of well understood processes, training and awareness tools and ‘surgical technology’ than can reduce the accidental or deliberate loss of value from our companies.

Remember, it’s OK to say. It’s something I encourage my colleagues to do every day. I’ll leave you with that ‘ear-worm. You’re welcome!