GUEST POST WRITTEN BY
Robert N. Rose
Mr. Rose is founder and principal of Robert N. Rose Consulting.
The greatest threat to the security of U.S. companies is no longer the hacker attacking from beyond network walls. Now, it is the insiders already within those walls, and equipped with an all-access pass. Last year, 55% of cyber-attacks were carried out by insiders, according to IBM.  Companies overwhelmingly continue to direct security funding to traditional network defenses that fail to prevent damage from insiders. Unfortunately, the growing impact of insider threats on private sectors companies not only poses a risk to the companies’ proprietary information and data, but also has a direct impact on the national and economic security of the United States. Government regulation and White House Executive Orders continue to positively focus on public-private partnerships and information sharing.
However, there is an overall lack of knowledge of insider threats, and the public and private sector cannot share what they do not know. If companies and the U.S. government wish to protect themselves from insider threats, they should partner on a security strategy and regulation that combines comprehensive data on user and system behavior, advanced analytic tools and automated incident-response. Luckily, there is a rapidly-growing, but untapped, market of robust solutions for a variety of architectures, including cloud-based systems. While both private companies and the U.S. government will have to balance privacy and security, the government will have the added responsibility of regulating privacy.
The enemy at hand
An insider threat may be a malicious employee who consciously or unwittingly exfiltrates data, sabotages a company’s IT systems, or manipulates its data and systems. Cases of trusted insiders who abused their privileges to remove data include Edward Snowden’s theft and disclosure of classified information in 2013, and Jun Xie’s exfiltration of 2.4 million files from GE Healthcare’s secure network in 2014.  “More often, however, the insider is an unwitting accomplice who falls prey to social engineering and clicks malware in a phishing email. Insiders put that value at risk,” explained retired Admiral Mike McConnell, former Director of National Intelligence and former Director of the National Security Agency (NSA).
For example, in the 2015 cyber-attack against Ukrainian power companies, malware implanted through a phishing email targeting IT staff and system administrators allowed malicious outsiders to gain insider access to the system.  McConnell continued, “Information of huge value measured in trillions of dollars is stored digitally. Insiders put that value at risk.”
Our current grasp
Despite this known and expanding risk from insiders, there is little attention paid to this issue. For example, the Security and Exchange Commission’s Cybersecurity Examination Initiative has not mentioned insider threat since it started issuing guidance on cybersecurity examinations in 2014. Though the Federal Financial Institutions Examination Council’s Cybersecurity Assessment Tool does mention insider risk briefly, its vague recommendations for “Processes…to monitor potential insider activity that could lead to data theft or destruction” are insufficient given the potential, grave impact of the threat.