The past few months, I keep finding myself in this conversation about “cyber” and insider threat. Generally speaking, it seems quite a few people think insider threat is a “cyber” issue – and I can’t disagree more.
I think there are three reasons people equate insider threat with cyber:
- In the media a “cyber” event is often ascribed to an “insider”. This is about as much as people hear about insider threats, so the words are assumed to be interchangeable.
- At least in the U.S., there’s a tendency to focus on spectacle – by this I mean the never before seen technology or tactics, and the spectacular employment of them, while simultaneously ignoring the less spectacular or historical tactic or technology.
- From a mitigation standpoint, organizations are rightfully focused on protecting critical assets, which these days tend to be information on a network; in this vein network security is the “cyber” element – protecting assets from an insider, an outsider who finds an opening in the network, or an outsider who becomes an “insider” by obtaining existing insider credentials for access.
In that view, people are understandably confused. On the second point there’s a valid psychological underpinning to the bias toward the “unknown” and newly perceived threat. In the last point, a mitigation avenue for a particular critical asset begins to color views of insider threat.
So why isn’t insider threat a “cyber” thing?
An insider event is precipitated by a trusted person with access.
A “cyber” event could be precipitated by an outsider or an insider.
If an insider, then the individual already has access to the victim organization (employee, supplier, contractor, etc), and they leverage that access to sabotage computer resources (physical or non), leak data, steal data, or otherwise attack the confidentiality, integrity, or availability of said organization’s data
If an outsider, then they are not a trusted member of the victim organization, rather they pose as one.
The outsider may manipulate a person within the organization, wittingly or unwittingly – say through social engineering, to enable the outsider’s access into the victim network – but the outsider is only presenting as someone with legitimate access. In this case we might call the manipulated person in the organization as an insider – either unintentional or intentional depending on their malicious intent or lack thereof – and the external hacker the outsider.
That all said, the cyber insider event does not make up the majority of insider events – it might be as low as 22% in fact. Cyber insider events are the spectacular – they do a lot of harm in a seemingly short period, but they are not necessarily the most devastating.
Consider the following:
Edward Snowden managed to take a whole bunch of data from the US government, using his placement and access. Then he “sneaker-netted” that information overseas. Sure, he got the information from a virtual data source, but it wasn’t a “cyber” event.
Say what you will, insider threat is older than computers. It is as old as espionage and plain old vengeance, and that’s pretty old.
Cyber isn’t insider, much like a hammer isn’t the only way to open a lock.