If businesses continue to focus on augmenting technical cybersecurity programs, things aren’t going to improve. As to why, Bill Priestap and Holden Triplett, co-founders of Trenchcoat Advisors, and adjunct professors at Georgetown University in their Lawfare article, If We Don’t Secure People, Information Security Will Remain a Pipe Dream, suggest there’s a problem not being addressed adequately. “A business’s people present the ultimate vulnerability,” write Priestap and Triplett. “Until employees are appropriately safeguarded, true information security is likely to remain just beyond reach.”
SEE: Identity theft protection policy (TechRepublic Premium)
Three major misconceptions about information security
Notice, there is no mention of blame; Priestap and Triplett see employees as assets that need protecting. “Businesses tend to prioritize technical security at the expense of safeguarding their employees,” explain the two authors. “There are three major misconceptions about information security that disincentivize putting resources into protecting people.”
Information security has become synonymous with cybersecurity. The authors mention that spending on cybersecurity is at an all-time high, however, there are just as many reports predicting that damage caused by cyber intrusions is expected to increase from $6 trillion in 2021 to $10.5 trillion in 2025. Yet, the cybersecurity industry is holding to a very unsuccessful status quo. “While cybersecurity is important, businesses, rightly, are asking whether it alone will mitigate the information security risk, or whether they have reached the point of diminishing returns,” explain Priestap and Triplett. “Perhaps, the problem should be approached in a different way.”
Insider threat programs are appropriate and sufficient. This is a touchy subject to most employees. Businesses have added programs that designate employees as threats and rely on surveillance as a means to control employee behavior.
Priestap and Triplett, both having counterintelligence experience with the FBI, would like companies to look at insider threats differently. Intelligence agencies—also cybercriminals—when recruiting, consider suitability and access. In other words, both are looking for those most able to carry out their instructions and who already have access. “This means a business’s employees usually aren’t threats when they’re hired, but (depending on their suitability) they may become valuable recruitment targets once they’re on the inside of a particular business,” suggest Priestap and Triplett. “Employees then are vulnerable to being wittingly or unwittingly exploited by a nation-state that will use them to get what they want without regard for the long-term consequences to the employees.”
Businesses, according to Priestap and Triplett, need a proactive and persistent program to protect their employees from adversaries—nation-states or cybercriminals. The program should:
- Provide employees with the information and tools to protect themselves, and the assets they handle
- Help employees recognize adversarial activity and guide their response
Priestap and Triplett stress the importance of being proactive. Most existing insider threat programs use the word preventative, but are more reactive than anything. They depend on catching employees after the deed was done. “Many insider threat programs use data transfer as a precipitating event to identify employees of concern,” add the authors. “Under those practices, insider threat programs rarely do anything except identify problems such as data loss after they have already occurred.”
On one hand, the business can feel good about removing an insider threat, but without being proactive it’s likely, valuable assets have already been transferred to another company or nation-state, and the business will suffer as a result.
Something else the authors warn about: “The program’s very name implies that employees are threats. Once a business starts treating its employees as such, it risks damaging trust—the key ingredient of the employer-employee relationship.”
Most cyber intrusions are technical in nature, so companies only need to worry about that aspect, rather than understanding it as part of a larger operation.
This misconception is a valued tool of cybercriminals. Most intrusions are neither purely technical nor purely employee manipulation. This 2020 IBM report conducted by the Ponemon Institute mentioned that insiders (often employees) account for 60% of all cyberattacks. This Verizon study determined that 94% of all malware entered the victim companies via email.
Of that email-delivered malware, according to the cybersecurity company Proofpoint, 99% required some level of human interaction to be successful. “It is critical for businesses to understand that their information vulnerabilities are not purely technical,” assert Priestap and Triplett. “Viewing the risk of intrusion as only a technical issue is focusing on the tools used rather than the bigger picture.”
It’s important to look at why as well as how. “Cybersecurity companies focus on understanding the TTPs (tactics, techniques and procedures) of intrusion sets,” mention the two authors. “In other words, they merely look at the ‘how’ of an intrusion rather than the ‘why.’ While necessary, focusing on the how is not comprehensive enough, as its efficacy is dependent on seeing all the different ways cyber actors are trying to access a network.”
Besides, focusing on the how does not tell you what they were after. “Forensically piecing together a cyber actor’s actions in your network, and what they have taken is a painstaking process and ultimately has limited utility,” advise Priestap and Triplett. “You may see some or even most of the actor’s activities—data reviewed or exfiltrated—but the eventual beneficiaries of that information and their intentions are opaque.”
Another concern of Priestap and Triplett is the penultimate thorn in cybersecurity’s side—more often than not, convenience wins over security. “Many cybersecurity companies have attempted to reduce the risks, vulnerabilities and solutions to only their technical manifestation,” suggest the authors. “This is definitely easier from a product delivery and business development standpoint, but it doesn’t do enough to help businesses understand and address the underlying cause.”
Both intellectual property and employees should be considered valuable assets that need to be protected. “Otherwise, the limited security resources of each business may be allocated inappropriately,” conclude Priestap and Triplett. “Your business could end up protecting the wrong things or protecting the right things in the wrong way.”
Note: This post is a continuation of the TechRepublic article Why employees need counterespionage training.