On Governance: Seven Questions Board Members Should Ask About Insider Threat Risk

On Governance is a new series of guest blog posts from corporate governance thought leaders. The series, which is curated by the Governance Center research team, is meant to serve as a way to spark discussion on some of the most important corporate governance issues.

Insider threats are the unwelcomed gift that keeps on giving. A recent report by the analyst firm Forrester revealed that insiders are responsible for more than half of companies’ data breaches. Companies today more so than ever before need insider threat programs, which involve a combination of people, processes and technologies. So where does the board fit in?

While board members may not be the boots on the ground combating insiders trying to do damage, board members are responsible for making the best investment decisions to reduce insider risk. To achieve that goal, they must first understand the various types of insider threats and then ask the right questions to make sure they are giving their cybersecurity leaders the resources and tools they need to build a robust program.

Insider threats come in three different types:

• Malicious insiders who purposefully aim to cause harm,
• Non-malicious insiders who do not realize their actions are elevating risk, and
• Repeat offenders whose actions continuously elevate risk.

Compromised credentials can also be considered an insider threat, once the criminal is already inside masquerading as a legitimate employee. We don’t anticipate compromised credential threats going away soon, especially considering major data breaches such as Equifax and Yahoo! where criminals stole millions and billions of credentials, respectively. They will most likely use those stolen usernames and passwords to login into corporate applications and systems, pretending to be legitimate employees.

Malicious insiders use various kinds of attack methods. Some typical ones include:

• Slow and low attacks, where insiders slowly leak a small amount of information outside the company during an extended period;
• Collusion, where a group of employees exfiltrate bits and pieces of sensitive corporate data for their own gain; and
• Door “jigglers,” which are insiders who try logging into various applications that contain sensitive data and don’t stop trying until they get access. (Check out this infographic for a complete list of insider threat attacks.)

So what kinds of questions should board members be asking to ensure their cyber leaders have the right resources and tools to detect the various kinds of insider attacks? They should begin by not focusing on the “who” of the equation, and instead focus on the “what.” They should focus on the data assets that need the most protection, those that if compromised by an insider, would impact the business the most. Here are questions board members should ask their cyber leaders:

1. Have you aligned your insider threat strategy with the business continuity team’s objectives? Cybersecurity is a business continuity issue. Cyber leaders should be in continuous communication with the business continuity team. They should understand which assets the business continuity team would protect first if a natural disaster hit. Chances are those same assets are the crowned jewels cyber leaders want to protect first as well.
2. Do you know which systems, applications and users are connected to our most important assets? Once cyber leaders have identified the assets that, no matter what, cannot be compromised, they should identify what and who connects to those assets. They should also understand how users are accessing those assets and what they are doing with those assets.
3. How are we currently protecting those assets and any systems or applications connected to them? Cyber leaders should know if, for example, they are using user and entity behavior analytics to monitor and detect abnormal user behavior and prioritize the riskiest users that need immediate investigation. They should know if systems or applications that connect to those assets are continuously being scanned for vulnerabilities. They should know if users who access those assets are using multi-factor authentication, and if those assets are being tagged in an appropriate way to clearly show they are highly sensitive.
4. What gaps have you identified that are putting those assets at risk of a successful insider threat attack? Cyber leaders should understand if, for example, they are not monitoring for abnormal user behavior, or if employees are using one set of shared credentials to access a highly valuable asset.
5. What do you need to fill those gaps? Whether it’s manpower, a new policy or technology, it’s important board members understand what cyber leaders need to fill the gaps so that the company’s crown jewels are protected at all times.
6. What is our current insider threat residual risk? Understanding how much residual risk from insider threats the company currently faces gives board members a baseline measurement of risk so they can make decisions based on their set risk appetite.
7. If you get what you need to fill the gaps, the company’s insider risk will be reduced by how much? By knowing an actual measurement of how much residual risk will be reduced if certain decisions are made, board members can weigh that metric against their set risk appetite to see if it’s worth making the recommended investments.

Overall, the most important question to ask for anything cybersecurity-related is, “What do we have to lose?” Without understanding what’s at stake, it’s impossible to make the right investment decisions.  

The views presented on the Governance Center Blog are not the official views of The Conference Board or the Governance Center and are not necessarily endorsed by all members, sponsors, advisors, contributors, staff members, or others associated with The Conference Board or the Governance Center.