A significant amount of time and money across the public sector is focused on external cyber breaches and threats. But the landscape and risk has shifted such that we need to re-think and reprioritise the level of investment and focus on the insider threat.
The latest research by PwC on the 2015 Global State of Information Security reveals that insider cyber crimes are both more frequent, but also more damaging than outside attacks.
So while the Australian Government continues to invest significantly in national security, with a focus on nation-states, hacktivists, and organised crime groups, the threat landscape is changing and for the Australian public sector the insider threat is a clear and present danger, according to PwC Cyber security expert Richard Bergman.
A PwC State of Cybercrime survey conducted last year with the US Secret Service, CSO Magazine and Carnegie Mellon University, overwhelmingly cite insiders as causing the majority of security incidents.
To mitigate this risk government agencies need to effectively align their people, processes, and technologies under the umbrella of an insider risk management program.
There are seven practices agency leaders need to adopt to minimise their cyber risk:
1. Governance — and set the tone from the top
Appoint a senior executive to lead and advocate the program and identify key stakeholders to form an Insider Threat working group with a charter to drive program strategy, design, and implementation.
2. Understand the threats and value of your information
Conduct periodic threat assessments to identify potential threats and tactics/targets. Identify your information assets that are “crown jewels” and would pose significant risk if stolen, leaked or altered and develop a threat model of “attack trees” to assess controls and gaps, to identify gaps in controls and enable risk-based prioritisation and decision-making.
3. Policies and processes
Establish clear program policies and supporting processes for consistent implementation across departments.
4. Training, awareness and communication
Develop and implement security awareness training and workforce messaging for managers, employees and third party providers.
5. Make the right technology investments
Utilise large-scale data analytics platforms and data privacy and protection capabilities to tailor a program attuned to an agency’s specific risks and needs. Establish threat intelligence and case management process/platform, integrated with IT security controls and tools, monitoring, logs, etc.
6. Build insider risk into enterprise-wide risk management
Deploy and integrate enterprise-wide network and end-user technology solutions (monitoring, digital rights management, data loss prevention, etc.)
7. Be ready to respond
Develop and test your insider incident response plans for a range of severe impact scenarios.
The rapid pace of technological change across the ecosystem means agencies must manage cyber risks across their ecosystem. This can include the insider threat who may use authorised access to steal, corrupt, or damage information and systems for their own or others’ benefit. The definition of an insider threat includes:
- Current and former employees;
- Current and former consultants and contractors;
- Third-party IT providers or suppliers;
- Planted insiders.
The insider threat is a difficult threat to understand and combat. The motivations for insiders vary and the information they are after or damage they are seeking, vary as well. The insider is typically motivated by any of the following five factors:
- Ideology, notoriety, or fame — as is often the case with large WikiLeaks disclosures;
- Personal financial gain and fraud — the black market economy for buying and selling information is easy to access and highly profitable;
- Disgruntlement or malicious intent — as a result of a negative work-related event such as a termination or dispute;
- Business advantage to a competitor through intellectual property theft;
- National security and/or economic espionage directed by a foreign government.
For insider threat incidents by IT savvy insiders (employees, contractors and consultants) over 80% have been motivated by revenge and typically follow negative work-related events such as termination, dispute with a current or former employer, demotion, or transfer.
Almost all of these cases came to the attention of supervisors or co-workers as an area of concern prior to the attack.
The insider threat is not new for agencies however the value of information on the black market and the ease to sell it has shifted the risk significantly.
A health record often contains financial, medical, family, and personal history, and that can be used to construct a complete identity and can fetch over $50 per record on the black market. Currently there is an oversupply of stolen credit cards and as such are currently sold for $1 each, which is changing the focus for organised crime groups and financially motivated insiders.
Many agencies do not have a mature insider-threat program in place, and are not prepared to prevent, detect, or respond to internal threats.
Agencies that manage the insider threat well have an all-of-agency approach and involve participation from IT security, physical security, legal, privacy, human resources, audit, and business managers.
To detect and respond to threats as they occur and to reduce the potential damage, agencies can deploy a range of tools and techniques that are both technical and non-technical. These range from cyber security monitoring and data loss prevention tools, to background investigations, forensic interviews, training programs, and decision support processes.
To learn more about the work PwC is doing in the Cyber Security space, visit pwc.com.au/consulting/cyber
Written by Richard Bergman, PwC