May 16, 2016


Susan Helmick

Death, Taxes… and the Insider Threat?

By Mark Goldstein, Forcepoint Deputy CISO

Besides death and taxes, few things in life are guaranteed.  However, organizations doing business in today’s data centric, connected world can add one more certainty to the list: the insider threat.

As noted in Forcepoint Security Labs’ recently released annual global threat report, insider threats refer to incidents that either originate or receive cooperation (willingly or unwillingly) from sources within an organization. Breaches caused by insider threats continue to climb.

My first introduction to the insider threat was in 2007 when an employee at the internet company where I worked stole information on more than 90 million accounts and sold the info to a spammer. This incident not only changed my former company’s approaches to processes and technology, but also our formerly open company culture. Still, despite experiencing an insider incident firsthand, it still didn’t seem real to me. That was until a former U.S. Dept. of Energy employee pled guilty to a spear phishing attack against his fellow employees for personal profit.  I began to wonder; if a well-regarded, long-time employee with the highest level of clearance could do this, who else was capable? Are these “black swans” – random, unexpected, high impact events - truly that rare and improbable, or more common than we would imagine?

Then I read an article called the “Seven Profiles of Highly Risky Insiders” written by my co-worker, Bob Hansmann. Bob writes about non-malicious employees – the expected “white swan” in contrast to the perceived rareness of the “black swan” -  who make mistakes; from the know-it all’s who think security policies are for other people, to the often well-meaning convenience seekers who ignore processes to get the job done quickly.

When I present the seven profiles to security leaders, I ask if they have run into these kinds of employees. Not surprisingly, the answer is yes. Every organization has “white swans” and the damage from their unintentional negligence ranges from minimal (e.g. fines, limited business disruption) to severe (e.g. financial losses, lawsuits, reputational damage).

In cybersecurity there is an oft-used saying, “There are two kinds of companies: those who have been hacked and those who don’t know they have been hacked.” Perhaps the corollary for the insider threat is, “There are two kinds of companies, those who know the insider threat is real and those who believe it happens to other companies.”

When the phrase "black swan" originated, black swans were presumed not to exist; the term symbolized impossibility. When black swans were eventually discovered, the term transformed to signify an atypical event that in retrospect was more typical than initially imagined. Unfortunately, justifying an event in hindsight as “expected” leads to failing to understand how the event occurred and what vulnerabilities caused it, setting the state for a re-occurrence.

Today, like death and taxes, the insider threat is inevitable. However, like death and taxes, we’re still often taken aback by the reality.  Learning from “black swan” cyber security events is as important as preparing for the more common ones. Don’t miss an opportunity to learn from incidents that may ultimately improve your security posture, otherwise “black swans” may come home to roost.

For more on the insider threat:

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.