Coronavirus Creates New Insider Cyber Threat and How to Treat It

April 6, 2020

Instantaneous, Unplanned, Digital Transformation Creates Massive Cyber Risk

By Larry Clinton

Insiders are generally identified as the locus of about half of successful cyber-attacks. The 2020 edition of the Cyber-Risk Oversight Handbook published by the National Association of Corporate Directors (NACD) and the Internet Security Alliance (ISA) last month (available free of charge here). identifies the first category of insider threat as careless workers who “non-maliciously misappropriate resources, break acceptable use policies, mishandle data, install unauthorized applications, or use unapproved workarounds.”

The attack of the Coronavirus has almost instantaneously turned the percentage of workers doing business in an online modality from its pre-virus ratio of about 20 percent of the workforce to well over 80 percent.

Virtually all of this novel group of online workers now are fulfilling the behavioral definition of insider threat, not because they are “careless,” but because they frankly have no idea what the acceptable protocols and approved apps and workarounds are. No one ever told them, and in most cases their managers also have no idea.

We are already seeing cyber criminals and nation states, who are well aware of the vastly expanded attack surface, launching all manner of novel attacks against an unaware, confused, and distracted workforce operating under both personal and societal pressures they had never previously imagined.

Not only is this problem immediate but left unaddressed it will persist and grow in even in the aftermath of the virus. In an environment where the economy has been substantially damaged there will be tremendous societal pressure to keep it afloat and recover quickly. As a result, companies may feel compelled to reduce best practice security controls in order to reduce friction and/or improve performance with their new heavily remoted workforce which will lead to a persistent loss and/or destruction of sensitive data.

What We Need to Do

Both government and industry, in partnership and on their own, need to quickly and widely disseminate clear, concise, actionable managerial practices to securely manage their newly mobile workforce.

The cybersecurity community has engaged in technical cybersecurity information sharing for 20 years. However, what is needed now is not automated technical sharing, but simple dissemination of validated managerial practices to a broad community largely unfamiliar with secure online best practices but suddenly in need of this basic instruction in the nation’s – both economic and defense – best interests.

Fortunately, at February’s RSA Conference the Cybersecurity and Infrastructure Security Agency (CISA) at the Department of Homeland Security presented a set of “toolkits” developed in conjunction with NACD, ISA, and the Department of Justice, including a practical two-page guide on insider threats. The toolkit is a collection of previously developed and tested practices updated over a year-long, cross-sectoral process in 2019.  The practices are easily accessible and can be understood and implemented by managers who are generally unfamiliar with cybersecurity best practices.

The toolkit includes a quick list of indicators characteristic of inside threats (e.g., voicing disagreement with policies/disagreements with co-workers) which will enable managers to better recognize when an insider problem may be of occurring.

The toolkit then offers a succinct progressive series of questions built around proper insider risk management practices, which will assist managers in evaluating if they have the proper procedures in place to manage data in this new environment (e.g., does the security team know exactly who has elevated data access privileges? Is there a backup recovery program if data is lost?).

While the Cyber-Risk Oversight Handbook does not pretend to be a fully detailed insider threat management program, it is ideal for the needed immediate awareness and action required by the cybersecurity portion of the emergency created by the Coronavirus.