Insider threats present themselves in a variety of ways, and a person isn’t always responsible. Most insider threats are a mix of technology, personnel, and security, according to officials from the US Department of State.
Companies and institutions usually have to watch for threats coming from the outside, but dangers can lurk inside the infrastructure, and they're not always clear. The human element of a Security Operation Center (SOC) makes it a lot easier to detect malevolent intent or even simple mistakes.
During the RSA Conference 2020 underway in San Francisco, representatives from the US Department of State have talked about what constitutes an insider threat and how companies can deal with such issues, including by using various filters during the hiring process.
Insider threats can come from mistakes or from bad intentions. Jackie Atiles, of the Insider Threat Program Director at the State Department, explained, via DarkReading, why this is a much more complex problem. "It is not just a tech problem, it's not just a security issue, and it's not just a personnel issue."
The State Department representative presented a simple scenario in which an employee sends an email outside the company or institution. That email might contain proprietary information or an attachment with files that should not leave the premises. When or if the IT department catches it, it's already too late.
Figuring out if it's an exception for that employee or a security issue is a difficult task, but that’s what managers and supervisors are for.
"Managers need to manage; managers need to engage," said Atiles. "Supervisors are the best defense against insider threat behavior. There is a difference between an introverted employee who wants to alone sometimes and an isolationist who exclusively keeps to themselves all day."
Of course, an important step in the insider threat model takes place way before any incident is ever recorded, and, in theory, it should help companies avoid the problem in the first place. Vetting new employees and training existing ones -- covering aspects such as data handling, performances, security awareness -- makes a major difference.
The main idea of the State Department presentation is that many steps need to be covered for actual security issues to occur, whether they’re intentional or not. It can start with insufficient employee vetting, and the loop could be closed by inadequate employee training.