Cyber security: managing people risk and the insider threat through strategic protective monitoring
The insider threat, whereby an employee acts, knowingly or unknowingly, in a counter-productive way to cause significant damage to his/her organisation, has become a key risk for organisations around the world. This is in part driven by the greater access individuals have to critical information and systems as organisations become more and more connected. In addition, ever more sophisticated methods of carrying out a cyber attack and the availability of more outlets for leaking information are increasing the threat.
To help manage the insider threat, organisations employ good security people; systems log behaviour from physical access to the use of IT systems; and software monitoring tools analyse the logs and generate alerts. Yet, in many cases, this is not working: there are frequent reports of successful attacks on the same organisations that apparently deploy all these defences. Where people risk is concerned, there seems to be a blind spot.
Protective monitoring can help an organisation to significantly reduce opportunistic crime or counter-productive behaviour by insiders and manage its people risk.
Implementing effective protective monitoring
Protective monitoring encourages people to take the right course of action and to help detect potentially risky behaviour before it causes significant damage. Done well, it commands the support of employees, engenders a strong security culture and delivers a valuable business differentiator. There are three key elements to implementing effective protective monitoring:
Firstly, organisations must manage four things well: assets (such as reputation, employees, computers, property and data), the identity of employees; employees' time (when they take actions and for how long), and the volume of transactions, all in the context of their roles and the business. Context is key since this informs sensible and insightful business rules that produce meaningful alerts. Often the most valuable rules are not obvious and can significantly benefit from expert input.
Secondly, organisations need to use behavioural anomalies identified in historical data to focus real-time monitoring on the areas or people who pose the highest risks. Effectively, this enables organisations to use hindsight to predict where their people risks are most likely to reside – and focus their monitoring accordingly.
Thirdly, organisations need to integrate across the relevant business and security functions so that anomalies in employee behaviour are not kept hidden within silos. By making people risk a clearly accountable responsibility of HR (since HR is the primary but often unrecognised internal customer for behavioural monitoring), organisations will not only gain significant internal clarity on governance but also sharper focus in their day-to-day monitoring requirements, improved people risk management and stronger ownership of this critical capability.
Of course, all protective monitoring must comply with regulatory frameworks (legal, ethical and so on) and be publicised internally so that employees are aware it is in place and part of everyday business. At the same time, monitoring must remain unpredictable so it cannot be easily circumvented.
PA has worked with the UK government’s Centre for Protection of National Infrastructure (CPNI) to help define, develop and deliver new national guidance on managing people, physical and cyber risk. The guidance will ensure the UK is at the forefront of enabling organisations across its national infrastructure to reduce counterproductive behaviour.