Deterring Insider Threats Takes More Than Technology. It Demands Proper Processes and Culture.

There are many sophisticated technology packages and solutions available to help bolster insider threat programs. Still, without the proper training, processes, and a culture of trust built into the system, technology alone won’t stop the threats.

At the recent Global Security Exchange GSX 2023, a pivotal session titled “Subduing Insider Threats: Transferring Knowledge to CISOs Using Past Successes and Lessons Learned” occurred. The session, led by John Petrozzelli, Director of the MassCyberCenter, broke down the challenges posed by insidious employees with legitimate access. Highlighting that such insiders could be driven by various motivations, from personal gain to allegiance to another country, Petrozzelli emphasized the importance of robust insider threat programs. The session also underscored the value of an acceptable use policy as a potent tool to deter and disrupt such insider threats. With a focus on compliance, operations, and hiring strategies, this session offered invaluable insights into safeguarding organizations from internal vulnerabilities.

Petrozzelli expanded on the lessons, learning, and insights he brought during his session.

John’s Thoughts

“It’s really a combination of approaches. People, processes, and technology gotta have the people educated and trained; you gotta have the processes in place in policy, like acceptable use policies or mobile device policies. And then you have to have the technology monitor.

We’re a quasi-public organization, a dot org versus dot gov. What we do is work on cybersecurity resiliency for the ecosystem in Massachusetts, with a priority on workforce development, specifically resilience on municipalities as well.

What I wanted people to do was to come into the class and learn from some of my successes and mistakes in the past. So, I talked in-depth about some situations where I’ve dealt with insider threats. The key takeaways would be that they should have some idea of what they would want to do in their receptible use policy so they could deter insider threats and that they should always maintain a relationship with people when they don’t need anything with them to set, basically, with trust with people who are going to be people that they’d work with so that they can establish that trust before they need to work with them to mitigate inside reps.

Building Trust in a Hybrid Work Environment

There are two things I’d say; one is this hybrid or commuting environment post-COVID is probably here to stay. How does that change the conflict? Part of my issue was explaining to people that the issues are much more difficult now because you can’t establish trust as easily when you’re not in person.

Right? So you can’t go in and say hi to someone in the office without needing anything. For them because now you’ve gotta do it via Zoom or Teams. So what I had recommended to them was get on a call early.

So, when you have a two o’clock meeting, get on at one fifty-five. Then, use that five minutes to BS with people to establish trust and rapport. So that’s one way that, you know, the evolving cyber security, hybrid, or just even remote work experience changes the insider threat program to make it more difficult. The other side of it is, you know, the negligence of people contributing to insider threats has grown as well.

And that’s become more of a user negligence where they’re not trying to hurt the company, but they’re doing so with their inactivity or their lack of negligence, essentially their lack of awareness to what they’re doing. That’s a security threat.

Addressing the Human Element in Insider Threats

Part one of that is a human issue. It’s a huge human element. From that human side of things, you’ve gotta deal with that’s why I talked about in my class, like identifying partners that you wanna work with stakeholders that you have the shared mission with, like HR, like, like security, like, compliance and legal, and then working with them. And then, on the technical side, you know, use the resources available to you.

And that could be a software component. There’s some really good insider threat software tools out there that will allow you to do some of the work; it goes back to the human side because through human interaction and teaching your employees about reporting something that they see as suspicious, that’s really how gonna identify insiders. You might get lucky and catch them in log activity or exfiltrations with some log activity, but really trying to get humans to identify and then, or report them to somebody, even if it’s just one incident, is really how we’re gonna help to stem the tide of that.

Utilizing Advanced Tools While Maintaining Company Culture

I had mentioned using all the resources available to you, and that’s really like the tools. Some really good insider threat tools out there can do screen capturing, live recording, and monitoring. It goes to your initial part of this with respect to company culture. People might not wanna work for a company that has those things running.

The other thing is unless a company has the prospect of them serving employees in some kind of acceptable use policy or something, it might not work legally for them to be able to do that. It’s really a combination of approaches—people, processes, and technology. You have to have the people educated and trained.

You gotta have the processes in place, like acceptable use policies or mobile device policies, and then you have to have the technology to monitor it.”

Article by James Kent