The Pentagon Leak illustrated that ensuring the protection of intellectual and sensitive information (such as proprietary information, PII, state secrets, trade secrets, patents, customer data, etc.) remains a challenging mission, even for institutions that are at the forefront of data protection and recognized as leaders in the field of cybersecurity.
The leak was caused by 21-year-old National Guard airman who exposed over 100 top-secret documents in a private chat room associated with the social media platform Discord, significantly jeopardizing U.S. national security and that of other nations, including Ukraine. This event illustrated that in order to properly mitigate information security risks such as the “Insider Threat”, these risks have to be assessed comprehensively through multiple lenses.
Comprehensive and holistic information security frameworks, such as the ISO/IEC 27001 Standard, helps organizations to ensure that multiple sources of information security threats, whether technological, organizational, physical, or human, are considered when managing risks, such as the “Insider Threat”.
The Pentagon Leak demonstrates that mitigating the risks associated with “Insider Threats” requires more than just relying on technological controls. It highlights the importance of implementing a comprehensive approach that includes a range of controls and measures that address all potential sources of risk.
With the rise of distributed workforces and remote teams in modern business environments, how can companies efficiently mitigate such risks pertaining to the “Insider Threat” (referring to a security risk posed by individuals within an organization, such as employees, contractors, or partners, who have authorized access to its resources, systems, and data) through an effective and comprehensive cybersecurity posture?
Here are eight tips worth considering to improve your security posture pertaining to people, physical, organizational and technological controls:
1 – Conduct a risk assessment [Organizational control]
A comprehensive risk assessment of the “Insider Threat” is essential in identifying, analyzing, assessing, and prioritizing potential vulnerabilities and threats posed by authorized individuals within the organization, taking into consideration all elements of the cybersecurity equation, including people, technological, organizational, and physical controls. By analyzing different risk scenarios, companies can gain a deeper understanding of the potential impact of insider threats on their business and effectively identify the types of security controls necessary to prevent and detect such threats and implement a strong cybersecurity posture accordingly.
2 – Conduct systematic and periodic background checks on new hires and existing staff. [People control]
To mitigate the risk of insider threats, companies should conduct thorough background checks during the hiring process to identify any potential red flags. By utilizing the MICE framework (Money, Ideology, Coercion and Ego), and conducting comprehensive financial and criminal background checks, interviews, reference checks, and online research, companies can evaluate a candidate’s values and beliefs to ensure alignment with company culture, identify potential risks early on, and prevent hiring individuals who may pose a security threat.
While most companies do conduct such background checks as part of the hiring process, few adopt a proactive approach by conducting such background checks periodically on existing staff as well.
Such periodic checks are essential to allow employers to monitor any potential risks that may have arisen after the initial hiring process, identify changes in an employee’s behavior such as criminal convictions or financial issues, and take proactive measures accordingly.
3 – Ensure that employees feel trusted and appreciated for their efforts. [People control]
The instance of Robert Hanssen, an FBI agent who spied for the Soviet Union because he felt unappreciated by the US bureau after being passed up for many promotions, is a stark reminder that the risks associated with employees who feel undervalued should not be underestimated. Thus, making sure that employees feel trusted and appreciated, by creating a recognition program, offering training opportunities, and involving them in security planning and decision-making may help in mitigating “Threat Insider” risks.
4 – Classify and protect your information in accordance with its sensitivity level. [Organizational control]
To successfully protect your information, you must first identify which information in your business need protection. Classifying and labeling your information in accordance with a data classification policy will allow you to identify such information and implement appropriate security measures.
5 – Apply the “need-to-know” and “least-privilege” principles throughout your organization. [Organizational control]
The recent arrest of the 21-year-old National Guard airman behind the Pentagon leak indicated that he obtained access to the disclosed sensitive documents despite having no “need to know.” Complying with the “need to know” and “least-privilege” principles will mitigate the risk of unauthorized employees accessing sensitive information. Conduct regular access reviews to ensure compliance with these guidelines, identify potential security flaws or vulnerabilities, and prevent unauthorized personnel from accessing sensitive information.
6 – Regularly train your personnel [Organizational control]
Train your personnel on data classification and the implications of data leaks on a regular basis: Employees are frequently the first line of protection against data breaches and leaks, as well as the weakest link. As a result, it is essential to train them in data classification, the types of information that should be protected, and how to manage sensitive information on a regular basis. This will assist in ensuring that employees are aware of the potential risks and consequences of mishandling sensitive data. It will also assist them in properly classifying data based on its sensitivity level, allowing it to be handled in conformity with the company’s data protection regulations.
7 – Implement Data Leakage Prevention (DLP) [Technological control]
To prevent the release of private information on the internet, it is recommended to implement Data Leakage Prevention (DLP) solutions. These solutions are designed to prevent sensitive data from being intentionally or accidentally leaked outside of the company by filtering and parsing data based on attributes like PII or sensitivity labels. However, it is crucial to have a well-defined data classification and labeling policy in place before implementing a DLP system.
8 – Define strict measures for working in secure areas [Physical control]
For an on-site working force, physical controls for sensitive areas such as Security Operations Center, R&D facilities or Sensitive Compartmented Information Facilities (SCIFs), should involve measures such as CCTV cameras, secure access controls, and restricted areas to limit access to sensitive information. Additionally, “privacy lights” can be used to prevent unauthorized photography or recording of sensitive information in secure areas. Alternatively, for a distributed, remote workforce, implementing user behavior analytics (UBA) or privacy screens can provide additional protection against the “Insider Threat” risk.
To summarize, while AI-powered cybersecurity assistants such as Microsoft Security Copilot (Microsoft Security Copilot (a security product shaped by the power of OpenAI’s GPT-4 generative AI) or its Google counterpart – Google Cloud Security AI Workbench – have the potential to revolutionize the cybersecurity equation, the recent Pentagon Leak served as reminder that however robust and mature your cybersecurity posture is or will be thanks to AI technologies, humans remain the weakest link in the cybersecurity equation. While these AI-powered cybersecurity assistants are expected to greatly enhance the “technological” controls of an organization, it may not be as effective in addressing the “people,” “physical,” or “organizational” controls. To limit the risks associated with the “Insider Threat” in the context of a distributed workforce, it is thus essential to take a comprehensive approach to cybersecurity and understand that a robust security posture in composed of more than technological controls only and considering the cybersecurity equation as a whole.
Finally, along with the integration of AI-powered tools in the cybersecurity equation, the employment of AI-powered tools for malicious objectives is a growing concern. For instance, cybercriminals may leverage the capability of AI technology to replicate an individual’s voice and orchestrate convincing vishing (voice phishing) scams. These tactics can be remarkably successful, as they rely on social engineering techniques that exploit individuals’ trust and willingness to comply with requests from perceived authoritative sources. Thus, it is crucial for enterprises to recognize these dangers and undertake measures to safeguard themselves against such risks. These measures may include implementing protocols such as multi-factor authentication and conducting employee training programs that provide education on recognizing and responding to potential vishing attacks.
For more information on how to keep your business security posture up to date to face the challenges of today and tomorrow, contact us at request@abileneadvisors.ch.
Further references:
An Approach to a Comprehensive Framework for Insider Threat – ProQuest
Pentagon Document Leak: Humans Are the Weak Link in Spying – BloombergOpinion | To stop intelligence leaks, assume there will be bad actors – The Washington Post
