Nick Culbertson, Co-Founder and CEO, Protenus
For IT and security professionals, one of the most difficult things to accept is the fact cybersecurity incidents are inevitable.
“There is no perfect system,” said Nick Culbertson, Co-founder and CEO of Protenus. “The only perfect system is one that’s unplugged, locked up, and covered in concrete. And even then, I’m sure someone could still get in.”
While that may sound alarming, it’s a reality that leaders must accept in order to mount a successful defense against attacks. Another is recognizing that every member of the workforce presents a threat to the organization’s safety.
“As we’ve seen with so many of the large data breaches that have occurred, insiders pose a risk because they’re vectors for hackers to get in, whether it’s through weak access controls or phishing attacks,” he noted. “It’s a matter of making sure there are layers of protection around that and controls in place.”
During a panel discussion, Culbertson and co-panelists Brian Cayer (CISO, Keck Medicine of USC) and Nicole Brown (Privacy Manager, City of Hope) talked about the key components of a solid cybersecurity strategy, from risk identification to access management to collaboration with other departments.
Mastering the basics
It starts, according to Culbertson, with the fundamentals. “When you think about compliance, privacy and risk, it’s not about finding the most sophisticated tool. It’s about mastering the basics,” he said. The headline-grabbing incidents are happening “when those basics are not in place, and when there aren’t good controls at the foundation.”
Of the four types of insider threats — misuse/error, fraud, intellectual properly theft, and IT sabotage — the first is the most concerning, according to Cayer. “An insider could just be a misinformed employee who simply doesn’t understand the policies and procedures.” As a result, they may end up sending the right information or credentials to the wrong person, which can then set off a firestorm.
“There are so many different factors to consider,” said Brown. “When I’m doing an investigation, I always look at intent. Did they intend to leave something available or steal information, or was it purely accidental?”
Brian Cayer, CISO, Keck Medicine of USC
This is where access management — and the ability to vet permissions — comes into play, according to Cayer. “It comes down to what are your policies and procedures, and what level of access do you give those individuals,” he noted, adding that “it should be tailored. You don’t want to give the entire workforce the same level of access.”
Zero-trust policies
Establishing that requires collaboration across departments, including IT, security, compliance, privacy, and human resources. “It’s building a cohesive working relationship between teams and saying, ‘What are we seeing here? What are we doing to enhance that level of protection?’”
That protection starts before an employee is even hired, according to Cayer, who believes HR can play a vital role in vetting individuals and communicating any concerns they might have. “Why did they leave their previous role? That’s a big piece in ensuring we’re not taking on risk,” he stated.
And while background checks can surface some red flags, there’s a lot they don’t reveal, noted Brown. “It goes back to how well you’re defining the steps in the interviewing process.” At Lurie Children’s Hospital of Chicago — where she spent three years in leadership roles before recently transitioning to City of Hope — her team had specific instructions on which points to analyze and how to proceed, depending on what they found. Given the current climate, she advised adopting a zero-trust environment. “Assume everyone is at risk.”
And that risk certainly doesn’t cease when an individual is hired, said Culbertson, who has seen a rise in continuous background checks for employees. That “constant monitoring,” he noted, has become a key building block.
Driving messages
Another department that must be looped in with IT, security, compliance, and privacy is marketing — and it needs to be established long before an incident occurs. “We definitely work closely with marketing,” said Brown. “With the nature of the world as it is now where we’re seeing all of these breaches, it’s important for marketing to understand what their role is in all of this and be pulled into working with us as part of a larger team.”
By that, she means “looping in” marketing and communications to them about the tabletop exercises and run-through scenarios that IT and security teams regularly conduct, and ensuring they understand the various roles, responsibilities, and procedures. “You need to be able to say, ‘We’re seeing these indicators. We’re seeing this happen,’” she said. “Let’s make sure we’re driving that message.”
Nicole Brown, Privacy Manager, City of Hope
It could be by holding meetings or events, or even reserving a spot for cybersecurity in the marketing newsletter, Brown added. “It’s a great way to make sure we have a voice with the organization.”
That communication among teams is vital, according to Culbertson, even if it doesn’t happen frequently. “I really believe in this idea of partnership,” he said. “These roles can work independently, but they’re so much better when they’re creative and supporting each other.” And in the event of an incident, a rapport has already been developed, enabling the organization to execute quickly on continuity plans.
“Think about layers”
It’s all part of the “layered security approach” that organizations should have in place, he added. “You can’t just assume that because you have encryption or MFA, everything’s fine. It’s the comprehensiveness of the layers” that will make the difference. Although Protenus doesn’t specialize in external threats, it’s compliance analytics platform has detected “various types of phishing attacks where employee credentials have been compromised and suddenly their pattern deviates wildly from their clinical roles to something like downloading data or exfiltrated data — some type of breach,” Culbertson said. “It’s really important to think about all those layers.”
Another critical step is the ability to do segmentation so that if an event occurs, leaders can minimize the impact, according to Cayer. His advice? “Take a holistic look at your risk areas, focus on what type of controls you have in place, do some threat modeling, and determine the appropriate changes that you need to make to build those levels of controls.”
Near misses
Amidst all of this, one mistake leaders can’t afford to make, noted Culbertson, is concentrating all of their energy on the most nefarious behaviors — and thus, neglecting the low-risk incidents. Through Protenus’ research, “We found that the people who are most egregious don’t start out that way,” he said. “They build up those behaviors over time.”
By closely monitoring individuals and catching incidents, organizations are able to do on-the-spot remediation, which has proven to be extremely beneficial. “Sometimes it’s as easy as reaching out to a workforce member and saying, ‘We noticed you did this’ and reminding them it’s against the policy. Ninety-nine percent of the time it’s met with constructive output.”
On the other hand, those whose incidents go unacknowledged have a 70 percent chance of committing another incident, Culbertson said. “It’s a great opportunity to educate the workforce,” while also improving overall security.
Brown agreed, urging leaders to capitalize on near-misses. “Those are your opportunities to review processes and do additional awareness campaigns,” she said. In addition, they serve as a barometer for issues that could arise, enabling leaders to put the pieces in place before those issues become major events.
Finally, Culbertson emphasized that although every event counts, it’s important to remember that “it’s never one thing that triggers an incident or an investigation. It’s a combination of things,” he added. Having “a robust layered approach” and strong measures in place can empower teams to be better prepared.
To view the archive of this webinar — Identifying & Mitigating Key Drivers of Insider Risk — please click here.
Share Your Thoughts
You must be logged in to post a comment.