CISA Rolls Out New Insider Threat Risk Assessment Tool
The tool, which is intended for both public and private sector organizations, can help companies better assess their vulnerability to insider threats.
In the face of mounting ransomware attacks and concerns around supply chain security, the US government continues to take extra steps to help bolster the nation's critical infrastructure.
So far this year the US Cybersecurity and Infrastructure Security Agency (CISA) - part of the Department of Homeland Security - has released guidance to help organizations better defend against ransomware, tips on selecting and hardening remote access VPN solutions, and how to battle disinformation and phishing attacks.
This week – the last week of National Insider Threat Awareness Month - it released a new tool, the Insider Risk Mitigation Program Evaluation (IRMPE), designed to help public and private organizations gauge their security posture around insider threats.
Insider threats of course can have many undesirable outcomes, the theft of sensitive data like intellectual property or source code, loss of competitive advantage and with it revenue loss and reduced market share, and sabotage to name a few.
CISA’s new tool, an interactive PDF, assigns a score to a series of questions that in turn represent maturity indicators that correspond to how equipped the organization is to mitigate an insider threat incident. Organizations answer yes, incomplete, or no to each question.
The tool asks organizations for instance if there's an insider risk policy in place and if elements of it – like its authority, scope, and roles - are documented.
If not - and that's fine, the tool is geared towards small and mid-sized organizations that may not have in-house security departments - the IRMPE contains information that can help organizations create their own prevention and mitigation programs.
Another question - “Does the organization have employee assistance programs to alleviate some of the stressors that might lead an employee to act in a harmful manner toward the organization?” – is aimed at taking the temperature of how content employees are in their current job.
The narrative around insider threats is that disgruntled employees are usually more likely to act out and use their privileged access to steal data. While a helpful indicator, this isn’t always the case. Users aren't always malicious; as Verizon's Data Breach Investigations Report has shown us time and time again, sometimes they're careless and breaches are accidental. CISA's tool should help organizations feel better about where they stand in the event that's the case, too.
“While security efforts often focus on external threats, often the biggest threat can be found inside the organization,” said CISA Executive Assistant Director for Infrastructure Security David Mussington. “CISA urges all our partners, especially small and medium businesses who may have limited resources, to use this new tool to develop a plan to guard against insider threats. Taking some small steps today can make a big difference in preventing or mitigating the consequences of an insider threat in the future.”
The tool should provide value for companies, especially those that may shifted their workforce to a work-from-home or work-from-anywhere schedule. For companies that lack a comprehensive data protection solution, the pandemic has made it easier for employees to move data around, sometimes via cloud storage or USB devices, something that’s substantially escalated risks around insider threats.
As far as combating insider threats goes, CISA’s new tool joins resources like the National Cybersecurity and Communications Integration Center’s Combating the Insider Threat, the FBI's Insider Threat: An Introduction to Detecting and Deterring an Insider Spy report, and another self-assessment tool designed to help organizations get a sense of their operational resilience and ability to manage cyber risk, CISA’s Cyber Resilience Review (CRR).