Senior Research Associate,
National Security and Public Safety
The Conference Board of Canada will soon publish an update to its 2013 report “Preventing, Mitigating, and Managing Insider Threats.” As part of this update, the Conference Board reran its 2012 online survey on insider threats. In January 2018, we published two blog posts about responses received in November and December 2017 to that survey. However, the sample size was limited, so the survey was reopened in January 2018 and eventually received a total of 267 fully completed responses. That larger sample size significantly altered some of the survey’s findings and overall results.
One area of note was the degree to which organizations have adopted a definition of the term insider threat. Establishing a clear definition was one of the key recommendations to come out of the 2013 report; it was seen as essential to building an effective insider threat prevention program. Only 13.9 per cent of respondents to the 2012 survey indicated that their organization had an internal working definition of the term.
The results of the 2017–2018 survey demonstrate that some minor progress has been made on implementing this recommendation, with 18 per cent of respondents now signalling that their organization does have an internal definition of insider threat (see Chart 1). The percentage of respondents who were unsure whether their organization had a definition and the percentage whose organization did not have a definition decreased by only about 2 per cent each. While this increase in “yes” responses represents progress, it does not seem to reflect the rapid rise in concern around insider threats as expressed in recent surveys of security professionals.
Does Your Organization Have an Internal Working Definition of Insider Threat?
Source: The Conference Board of Canada.
While not encouraging, it is possible this finding better reflects the reality among Canadian organizations than the 2013 findings did, given some important differences in respondent demographics between the two surveys. The 2017–2018 survey received 267 completed responses, compared with 115 for the 2012 survey. The more recent survey also saw significant increases in participation by respondents from the government, education and health, and not-for-profit sectors, which also represented the three largest segments of participation.
While participation from the transportation and utilities, finance/insurance/real estate, and oil and gas sectors decreased in the 2017–2018 survey, there was significant new representation from law enforcement and critical infrastructure, who self-identified in the “other” category. Additionally, the 2012 survey was sent exclusively to senior executives for their participation or dissemination, versus the open call for respondents for the 2017–2018 survey, which may have resulted in a wider range of seniority among respondents. New questions will be added to future surveys to capture this information.
Regardless of sample makeup, 18 per cent is an alarmingly low number of Canadian organizations that have an internal definition of insider threat. Therefore, the first recommendation we make in the updated report is that organizations establish a clear and comprehensive internal definition of insider threat. The Conference Board defines an insider threat as “any person who has the potential to harm an organization for which they have inside knowledge or access, either maliciously or accidentally.” A clear and comprehensive definition such as this one can help increase awareness and detection of insider threats by employees and managers. This is the foundational requirement for creating training and policies for prevention, detection, and mitigation of insider threats.
Scaling Your Cyber Security Threat Modeling
The Conference Board of Canada, June 15, 2018 at 11:00 AM EST
Live Webinar by The Conference Board of Canada