Any mention of an organization and insider threat in the same sentence generally conjures up an image of information being stolen by an employee — which is precisely the image Michael Theis and Matt Moynahan want to change.
Cyber Chat Host Sean Kelley sat down with Moynahan, CEO of ForcePoint and Theis, Chief Counterintelligence Expert at Carnegie Mellon University’s CERT Insider Threat Center.
Theis defined an insider threat as “the potential for an individual who has authorized access to your organization’s assets to use those excesses maliciously or unintentionally to act in a way that could negatively affect the organization.”
But Theis said it covers a lot more than just employees or former employees.
“Things like trust and business partners, those supply chain vendors. Anyone who has access to your physical people, your physical facilities, your info or your technology.”
“Insider threats to enterprises begin with access, privilege and the intentions of the person with that access,” Moynahan added. “The definition of insider becomes very blurry with things like digital transformation [or] movement to the cloud. Attackers are getting in, identities and credentials are being stolen, and the human being has become one of the primary vectors of attack.”
Companies are spending tremendous amounts of money in training with the goal being to become security companies — more or less — in order to combat insider threats.
“Hygiene training from the hygiene approach certainly raises the bar, but I don’t think that is the answer quite frankly,” Moynahan said. “The unintentional, ‘don’t click on the link, don’t open the attachment’ [is a necessity, but] we need to do something more for systems and technology in my opinion.”
Theis said it’s fair to ask for proper care and caution, but he doesn’t know how effective training is. He said training should be broken down by observables, both human behavior and technical. “What are your coworkers doing that could be putting [the company] at risk? There’s no one type of ‘insider.’ It really depends on the type of threat. It’s not as simple to say, ‘What are you likely to see? When are you likely to see it? What do you look for?’” Thes said.
“The challenge has been that despite the general best efforts, the industry hasn’t protected organizations,” Moynahan said. “And the problem with the current security marketplace is that things have gotten so bad that we’re forcing enterprises to become security companies. We’re forcing individuals to try and become security experts.”
Moynahan said around $1 trillion has been spent over the past seven years trying to keep people out, with a 95% failure rate.
“It’s not just a spend issue, I think it’s an approach issue that we need to think about in addition.”