The growth in insider risk
Insiders take many forms. At one end of the spectrum are the inadvertent insiders who facilitate hostile bad-actor access by thoughtlessly clicking on phishing emails. Other insiders include reckless employees, staff and contractors who fall out with management, staff that become ideologically motivated or corrupted. They also may, albeit relatively rarely, be surreptitiously placed in organisations by organised crime gangs or hostile nation states.
Insider risk has been around forever – and many organisations have developed well-established defences against many forms of insider activity like fraud and reckless behaviour.
However, new opportunities for and forms of insider activity have proliferated with the explosive growth of digital business and outsourcing to third parties. New motives for insider activity are increasingly common, including for example using insiders to actively disrupt, or facilitate future disruption, of business operations. While the arrival of AI has created a whole new class of insider activity – including virtual “spoofed” insiders and process controllers who can be subtly compromised.
As a result, there may be substantial unrecognised gaps in existing defences against insiders.
The threat from insiders has also grown rapidly as a result of the strengthening of cyber security defences – making it harder for remote hackers to gain access to systems and undertake fraud, espionage and disruption.
It should also be understood that the rise in geo-political tensions has driven a step change in efforts by hostile nation states to compromise staff, by persuasion and manipulation, as well as to place agents.
The threat to organisations that operate critical national Infrastructure, hold significant sensitive data, provide important (especially technology) services to other organisations, enable trade in strategically important products, and/or have access to valuable financial and other assets has increased substantially over the past five years or so.
The challenges presented by insider risk
Insider risk is complex. It is not simply an HR challenge, a technical or physical security challenge. Effective insider risk management requires a coordinated and integrated approach that combines technical, HR and physical measures to address new risks. All too often staff in one functional area fail to appreciate the risks and importance of action in other domains. For instance, HR teams often do not have a sufficient grip on the management of technically highly privileged staff, while IT staff see the value in technical solutions but underestimate the importance of culture and organisational measures like whistleblowing/speak-up.
Insider risk is typically underestimated. Most organisations think they understand the risk and think that they have appropriate defences, including organisational policies and procedures for e.g., segregation of duties and the delegation of authority and cyber security controls in place. However, the recent sharp rise in threats for many organisations has not been recognised and addressed.
Insider risk is even more complex than it used to be because of the explosive growth in the number of third-party staff, contractors and systems that have access to and (often) insights into the operations, data and other assets of the organisation. Management of insider risk now needs to go “beyond the corporate perimeter”. It also needs to address the potential risks your staff and contractors present as insiders to your customers and other business partners.
Insider risk is becoming even more challenging with the advent of AI enabled systems that present a whole new class of potential insiders.
Because of the sharp increase in and evolution of insider related threats and the cross-functional complexities of insider risk management, new governance and oversight are typically needed to ensure that appropriate and proportionate organisational, technical and operational measures are delivered by otherwise silo’ed teams.
The agenda for boards, business, security and risk management
It is important to put insider-related risk management in the context of likely threats to the business and existing defences and controls to deal with misconduct, cyber, fraud and other risks. Insider risks have clearly grown significantly for many organisations over the past few years, but the action required must still be appropriate and proportionate. It also makes sense for insider risk management to build on existing defences and controls and to focus on mitigating new and material risks.
The key first agenda item for boards, top management and the functional heads of teams that are likely to be most affected by insider risk (typically, HR, security, cyber-security if not fully integrated, supplier management and legal & regulatory) is to review threats, risks and the maturity of existing defences.
The next step is to ensure that there is a proportionate strategy in place, and clarity on and commitment to the joined-up measures to be taken. In particular, ensuring that there is:
- Clear functional management responsibility for the integrated risk management of insider risk across HR, technical/cyber and physical domains.
- An appropriate and effective organisational culture, line management behaviour and whistleblowing/speak-up arrangements.
- Robust management of and assurance on insider risk in critical third parties – moving beyond the relatively passive reliance on compliance with contractual undertakings.
- Appropriate use is being made of the growing set of technologies and other tools that can play a major risk in identifying and mitigating insider risks.
It is important to review and test existing incident and crisis management plans to ensure that there would be an appropriate, effective and integrated response to all plausible but severe insider-enabled incidents.
Finally, it is important that this effort is not seen as a one-off exercise. There should be a timetable for future review of the threats and risks presented by insiders, and the review of the continuing appropriateness of the insider risk management strategy and organisation.
If you are interested in understanding more about your organisation’s approach to insider threat and risk, why not complete our IRM Snapshot; it’s free, takes just minutes to complete, and provides an immediate feedback report to you: https://s.pointerpro.com/insider-risk.
