The Cybersecurity & Infrastructure Security Agency (CISA) has published a new tool called the Insider Risk Mitigation Self-Assessment Tool (IRMPE), which helps support the public and private sector organizations understand vulnerabilities in regards to insider threats.
What is an Insider?
CISA defines an insider as being “any person who has or had authorized access to or knowledge of an organization’s resources, including personnel, facilities, information, equipment, networks, and systems.” Common examples of insiders include:
- Current/former employees
- Third party contractors
- Other parties with inside knowledge
What is an Insider Threat?
CISA defines insider threats as “the threat that an insider will use his or her authorized access, wittingly or unwittingly, to do harm to the [organization’s] mission, resources, personnel, facilities, information, equipment, networks, or systems.” Insider threats can manifest as these behaviors:
- Espionage
- Terrorism
- Unauthorized disclosure of information
- Corruption, including participation in transnational organized crime
- Sabotage
- Workplace violence
- Intentional or unintentional loss or degradation of departmental resources or capabilities
Analyzing The Internal Threat Environment
“As organizations make constant shifts in order to keep pace with the ever-changing threat environment, they don’t often stop and do a gut check in analyzing the internal threat environment. As numerous reports detail upwards of 70% of threats to an organization occur from employees (either by accident or malicious) it’s always wise to take the pulse of your internal controls. Organizations should welcome such tools that help to ensure that internal processes, procedures, and standards are in alignment with IT security best practices,” says Tom Garrubba, Vice President of Shared Assessments.
Using the Risk Mitigation Self-Assessment Tool, organizations answer a series of questions in order to measure their risk posture. The tool helps organizations analyze their internal threat environments and helps organizations to devise preventive plans.
Human Element Is The Most Vulnerable Element
Ron Bradley, Vice President of Shared Assessments states,” From the Wright brothers to SpaceX, there has always been risk involved with flying. The same thing holds true with managing digital assets and insider threats. The risk is real, and it’s persistent. While technology continues to evolve and improve, the fact remains, the human element is the most vulnerable element.”
Bradley continues,” Having worked as an avionics technician in the Marine Corps, it allows me to have a perspective on the correlation between the risk of flying and cybersecurity risk. The good news is, technology has progressed and it’s safer to fly and to surf the Internet than ever before. The bad news is, a minor error such as clicking on a malicious link, or having an insider download volumes of records to a USB drive (or elsewhere) can be catastrophic.”
“The tool released by the CISA is an excellent jumpstart into stoking the discussions around insider threat. It’s a practical way of performing a basic assessment with outcomes designed to reduce risk to data security. Users of this tool must be cognizant of the fact it’s only one cog in the wagon wheel of data lifecycle management. Organizations should have an end-to-end approach to the entire lifecycle of the data, inclusive of data owners, data custodians, data users, and the eventual validated destruction of the data,” adds Bradley.
Bradley concludes,” Data governance and addressing the insider threat is an important first step in the entire lifecycle. Much of this starts with sound policies and standards, along with making users aware of their responsibility (and repercussions) for protecting company data.”
Resources For Managing Insider Threats
The ramifications of an insider threat could be cataclysmal to an organization if not identified in a timely manner. CISA has a plethora of tools, training, and information to assist mitigation against an insider threat. The resources can be found on CISA’s website.
