In support of Canadian Insider Threat Awareness Month (CITAM), it is timely to consider why insider risk management combined with dedicated, centralized, and holistic programs have never been more critical.
In its National Cyber Threat Assessment 2023-2024, the Canadian Centre for Cyber Security indicated that foreign nation states' and cyber criminals' cyber attacks against Canadians' national security and personal interests online are likely to increase. In our complex cyber threat landscape, organizations have never been more exposed, especially with the inherent advantage that insider threats have through privileged access to crown jewels, corporate assets, people, and the knowledge of corporate systems and processes. This situation is further compounded if the insider threat is potentially working for, or coerced by hostile external forces.
It is now just over a decade following the Jeffrey Delisle (Canada) and Edward Snowden (U.S.) incidents. Both provided a stunning contemporary North American relevance to the issue of insider threats with the exploitation of increased information digitization and their positions of trust in national defence agencies, and, by extension, the Five Eyes (FVEY) international alliance. Since then, Canada has experienced several other deliberate insider threat attacks occurring within critical infrastructure (CI) sectors that have further demonstrated the high stakes involved and real-world consequences. The potential scenarios for future attacks targeting our government and CI are even more staggering. Imagine an intentional misconfiguration in an energy facility, unauthorized access to a city's water supply system, or massive data breach of personally identifiable information from health and government databases. The societal and economic repercussions would be monumental.
Foster awareness: Be thoughtful about the issue in your organizational context, and reach across traditional security and core business divisions to build a centralized and holistic approach
As Canadian entities undergo rapid digital transformations to meet the challenges of the 21st century, we cannot forget about the human element when considering how to make core operations more resilient.
During our Global Accenture Cybersecurity Forum (ACF), led by our Chief Information Security Officer (CISO), Kristian Burkhardt, and shared with Accenture's CISO partners, it was noted that these days, "every threat is an insider threat". Gone are the days when we ignore the internal computing environment and only focus on hardening the virtual perimeter.
Why is this the case? It has to be considered that not all insider threats are malicious. Simple mistakes, like falling for a phishing e-mail scam or misconfiguring a server, can have severe implications for the organizations that are impacted. A comprehensive risk management approach must address both intentional and unintentional insider actions.
In my work at the Canadian Insider Risk Management Centre of Excellence, I still hear about challenges that are being experienced by my colleagues in Canadian private and public organizations to establish dedicated insider risk management programs (in spite of the present threat landscape). A notable challenge is how to actually implement an integrated and holistic approach (i.e., it's not all about cyber), and work with human resources and approach the introduction of new dedicated insider risk management programs in organizations with an eye towards the change management discipline. What is perhaps surprising is that often there is a reluctance of organizations to share real-life examples with their own employees to demonstrate the real and present threats that exist in their environment. Whether it's a deliberate or accidental compromise, the aftermath following the resolution of the incident offers an opportunity for education and learning in a way that doesn't have to involve any personally identifiable specifics. This education can help the whole organization understand that the threat is real, that insider threat events do happen and they have occurred in the past. It is this demonstration of organizational vulnerability that is at the heart of fostering trust, creating awareness, and building long term resiliency. By engaging employees in this manner, and emphasizing the importance of insider risk management, organizations foster a culture of shared responsibility. Employees become more vigilant and more informed, and more likely to report potential risks while fostering an environment of collective and proactive security.
Where to begin? Shifting from a reactive to proactive stance with a strategy first approach
Addressing insider threats isn't just about mitigating risks but also about being proactive. By identifying potential threats early, organizations can intervene before significant damage occurs. There are tools which help to identify and detect risks; however, these tools are only as effective as the strategy and program that underpins their use. Threat detection and comprehensive threat/risk modelling via sophisticated data exploitation, automation and orchestration platforms found in SIEM, UEBA, and SOAR tools, are not fully effective without an end-to-end enterprise strategy that engages all the core administrative and operational business functions in an organization. The strategy must also integrate with a full understanding of the crown jewels and critical business processes and supporting components that matter most.
As part of a proactive stance, it's also important for academia, private, and public sectors to continue a broader and sustained dialogue on insider risk management. The issue is here to stay and every organization needs a wide support network on this evolving complex matter that shifts as political, economic, societal, technological, legal, regulatory, and environmental drivers change in the world.
As part of CITAM and U.S. National Insider Threat Awareness Month (NITAM), I am proud to be joined by my colleagues in Accenture and Carleton University, Norman Paterson School of International Affairs (NPSIA), as we engage and foster more dialogue over the course of September with the broader private, public, intelligence, law enforcement, defence, and critical infrastructure communities of practice internationally in Washington D.C. to support the dialogue on a Five Eyes Insider Risk Practitioner Alliance (FIRPA), and nationally in Canada at our inaugural Insider Risk Management Security Partnerships Summit. A key theme at both venues, with an eye to critical infrastructure resilience, is that insider risk management isn't just a security necessity, it's an integral part of ensuring the uninterrupted functioning, trustworthiness, and reliability of our vital systems and services.