Senior Research Associate,
National Security and Public Safety
The insider threat—any person who has the potential to harm an organization for which they have inside knowledge or access, either maliciously or accidentally—is a recurring theme at events and meetings hosted by The Conference Board of Canada. Because of their privileged access, the actions of an insider posing a threat, whether malicious or not, can have catastrophic results. In fact, perfectly functioning security practices that are focused on mitigating external threats can fail to prevent, or even exacerbate the impact of insider threats, as was the case in the tragic circumstances surrounding Germanwings flight 4U9525. It’s worth noting that human error, or non-malicious actions, are a significant source of insider threats.
How can organizations protect themselves against and respond to insider threats? In 2013, the Conference Board published Preventing, Mitigating, and Managing Insider Threats, a briefing detailing best practices shared with the Conference Board, as well as results of a 2012 survey of executives from over 100 organizations on insider threats. This research has since had minor updates, some of which were presented during a 2016 insider threat webinar.
The 2012 survey asked executives about their organizations’ level of preparedness for countering and recovering from insider threats. The results helped to establish a benchmark for Canadian organizations, and led to a series of recommendations. In 2018, we will be reviewing and updating our research to reflect the changing nature of insider threats and how best to address them. In fall 2017 we opened a survey asking the same 12 questions from the 2012 survey to see if there were any changes to the responses. Despite participation from new industry sectors, our response rate was lower than we had hoped.
We will be relaunching the survey in early 2018 to collect more responses, increasing the robustness of the results.
Preliminary results from the 2017 small sample present some interesting insights into what, if any, progress has been made in organizational preparedness for dealing with insider threats. For example, both the 2012 and the 2017 versions of the survey asked respondents if their organizations have an internal definition of insider threat. In 2012, 13.9 per cent of respondents answered “yes”; this number increased to 20 per cent in the 2017 preliminary sample.
Survey question: Does your organization have an internal working definition of insider threat?
Source: The Conference Board of Canada.
The good news is that there seems to be an increase in the percentage of respondents indicating that their organization now has a definition of insider threat. While the percentage of respondents answering “No” to this question increased, there was a decrease in the percentage of respondents answering “Don’t know”. This potentially indicates an increase in overall security awareness as respondents in 2017 seem more likely to know whether their organization has an insider threat definition or not.
The survey also asked participants if their organizations has policies in place to deal with insider threats. Interestingly, the preliminary sample from the 2017 survey painted a picture similar to the 2012 survey results. There was a small shift in the percentage of respondents answering “Yes” or “Don’t know”. This slight shift could be explained by a change in the types of organizations represented in the 2017 survey.
Survey question: Are there policies to address insider threats within your organization?
Source: The Conference Board of Canada.
Overall, respondents indicated that a majority (80 per cent) of organizations surveyed have policies to address insider threats, but only 20 per cent have a working definition for insider threat. The 2012 survey revealed a similar pattern. This calls into question the potential effectiveness of some of the policies for addressing the insider threat. Can you effectively deal with the insider threat if you do not have a good working definition of the threat?
The preliminary results from the 2017 survey suggest that while there may have been some improvement around having a working definition of the insider threat, the issue identified during our 2012 survey—the effectiveness of policies dealing with these threats in the absence of a definition—still persists.
We would like to increase the number of responses to our survey to allow for a deeper analysis of this issue in Canada, and to update our recommendations. We are grateful to everyone who participated in the first round of the renewed survey in 2017. The Insider Threat Survey will be open until February 16, 2018. If you have not done so already, we invite you to contribute to this important research. The findings from the enlarged survey will be released as a series of blogs once the analysis is complete.
Building a Cyber Savvy Board
February 1, 2018, at 11:00 a.m. EST