Industry News Industry News Improving Organizational Collaboration In Response To Cyber Attacks

It’s crucial to align HR, legal, and IT when an insider threat is discovered.

By Jennifer DeTrani

2018 was a busy year for bad actors propagating insider threats. A former employee of software firm Nuance hacked into the company’s servers, accessing patient records for 45,000 individuals. And SunTrust Bank announced that a former employee stole the personal information of 1.5 million bank clients.

Tales of breaches of large organizations by foreign actors may get all the press, but there’s a real and growing threat from insiders. These threats range from leaking sensitive information to public forums to exposing and selling data on employees and customers. Disgruntled employees seek money, retribution, or matching employee’s personal ideology. In some cases, foreign countries with massive resources hire or leverage expatriates working inside companies to do the dirty work.

More than half of security professionals surveyed in 2018 by Cybersecurity Insiders (53 percent) confirmed the occurrence of insider attacks against their organization in the previous 12 months. The top reported risk factors include allowing too many users with excessive access privileges, an increasing number of devices with access to sensitive data, and the increasing complexity of information technology.

It’s unclear why insider threats are picking up steam, but pervasive digital technology has made it markedly easier for malicious insiders to get what they want. Consider the ease with which someone can transmit intellectual property onto a thumb drive and walk out of the office undetected. These attacks are expensive, too: the average cost of insider threats per year for an organization is more than $8 million, according to Ponemon Institute.

Develop an effective organizational response with a separate team

As with external breaches, it’s impossible to prevent all insider attacks. Therefore, preparing for crisis response ahead of time is critical because preparation can reduce damages dramatically. An endemic challenge for many companies is determining roles and processes of the required participants after the detection of an inside attack. Cross-functional teamwork becomes necessary given the breadth of ramifications spanning from HR, across Security/IT, into Legal and Management. There are few other instances in which the lines of accountability and responsibility are so quickly implicated across so many departmental lines.

Within HR, a thorough and fair investigation of the roles and behavior of suspects must be effectively and securely communicated to the legal department to ensure proper protocols for suspension or termination are followed once management has bought into the plan. Cybersecurity — and sometimes physical security — elements become critical once an attack is identified with departmental stakeholders identifying, locating, and correcting the security gap that enabled the attack. The legal team must be prepared to integrate into investigations and address potential lawsuits, regulatory audits, and fines. While it is up to each organization to determine the exact structure, roles, and responsibilities of this new team, is it clear a singular entity with the organization needs to be the “quarterback” of the effort, ultimately responsible for the day to day investigation and integration of the various entities.

Confusion over ownership and cadence often delays immediate action against the bad actor, which can aggravate the amount of data lost by the company or result in the company’s failure to collect key pieces of evidence. Meanwhile, interdepartmental chaos can lead to in-fighting between different functions and oversight groups, resulting in a poorly conducted response. It would be advantageous for an organization to tackle the internal structure and responsibilities ahead of any event that may happen, as this can aggravate an already difficult situation. Should an organization experience an issue, part of the recovery process should address this specific matter.

When push comes to shove, the legal team steps in to take charge. The legal perspective is invaluable when pursuing criminal or civil charges, but lawyers may not be prepared to deal with eDiscovery, HR policies, and IT security realities that come into play. Security professionals need to make sure the terminated employee doesn’t leave with active credentials or devices containing company information, or access to company facilities.

A better way to manage the response and recovery process is through the creation of a separate Insider Threat department or team, a practice that Fortune 500 companies are starting to adopt. This independent department’s main purpose is to quarterback the process. Staffers will have backgrounds in law enforcement, intelligence, and cybersecurity and be able to navigate all issues and hurdles across security, HR, legal, and communications silos. The benefits of this structure include objective leadership on insider threat management and a faster, more coordinated response during investigations and cleanup due to advance planning. This team would also be responsible for deploying additional capabilities and safeguards to ensure individuals are identified when they are causing issues, or ideally, prior.

Insider threat groups typically report to the Chief Security Officer, CISO, or Chief Risk Officer, and their role includes:

  1. Helping develop and direct policies;
  2. Educating employees on safe computing practices;
  3. Deploying data loss prevention (DLP) on endpoints to prevent data leakage, along with other tools;
  4. Monitoring and investigating malfeasance;
  5. Leading and coordinating the response and investigation process; and
  6. Handling physical security and restricting bad actors’ access to critical data or other vital assets.

A top priority of the Insider Threat team is preparation, so that when an incident is discovered, the company can take swift and effective action. But what does preparation actually look like? Following are a few thoughts and suggestions:

Legal coordination: Establishing relationships with counsel is important and should include an understanding of the required procedures and documentation, such as for collecting evidence and how to work with attorneys. Without such preparation, the company is at risk of presenting evidence that will be inadmissible or of violating attorney-client privilege. Insider Threat teams also follow cases through adjudication and finality.

Investigations: The Insider Threat team depends upon knowledge within the company to aid their efforts. Context is critical in evidence-gathering and functional experts can fill the gaps to track down what went wrong and how. An employee’s supervisor or the director of his department will know if the individual was wrongfully viewing documents which were outside of his role and access privileges, for example. Having policies and procedures guiding how and when to find subject matter experts during an investigation helps ensure that all stones have been unturned.

User monitoring and behavioral analytics: Technologies and methods for tracking employee behavior against policies and role-based norms means that Insider Threat teams won’t spend as much time on forensics during an investigation. Some companies develop a risk score for employees, which accounts for the level of access they have to sensitive systems such as financial databases, R&D applications, or mission-critical production systems.

Malicious insiders may target those employees with privileged access to gain access to valuable data; as a result, the company should closely monitor their online activity. Monitoring programs may include alerts for risky behavior — an employee visiting pornography or other sites rife with malware or someone staging anomalous amounts of data prior to a potential exfiltration.

Communications: Insider Threat teams should direct the post-incident crisis communications program, working closely with the company’s PR agency and/or internal communications director to ensure timely dissemination of information about security events that requires public disclosure. Internal communications about the incident are just as important here. Guiding company executives on how to share information about an investigation will quell uncertainty among workers and may prevent other insider attacks.

Threat simulations: Insider Threat teams also have a role to play in prevention and analysis. They can work with cybersecurity leaders on red-teaming exercises that test the company’s networks and systems under various inside attack scenarios. Simulating attacks is also helpful to practice the response steps. How hard is it to pull an employee’s email records and chat logs for analysis, or to detect if someone is copying IP files onto a thumb drive? Clearing up hurdles ahead of time saves time and angst when a real incident occurs.

A comprehensive security management program gives equal weight to external and internal threats. While outsiders may know more about the latest attack methods, insiders have intimate knowledge about the company which can lead to loss of sensitive data and wreak havoc on profits and market share. By moving from a reactive, ad hoc strategy for handling insider threats to a proactive, preventative, and coordinated approach, companies can minimize the financial and reputational impact of insider attacks — and someday maybe even prevent them altogether.

Source: Above the Law, March 7, 2019 (https://abovethelaw.com/2019/03/improving-organizational-collaboration-in-response-to-cyber-attacks/)