With the numerous cyberattacks being reported in the news almost daily, I find it helpful to think of some words of wisdom from my grandfather. My late grandfather had minimal formal education, but he imparted wisdom that lives with me to this day: it is important to be aware of one’s environment and be cautious when placing trust—which fits well with the theme of insider threats and knowing the invisible enemy within your enterprise environment. The enemy could be a person, such as an employee that has gone rogue, or an inanimate threat, such as a backdoor planted by an unscrupulous software vendor. From my grandfather’s viewpoint, understanding one’s surroundings means being aware of possible dangers and becoming adequately prepared to mitigate any threats.
If we look at modern threats in the enterprise environment, they thrive because people are often not aware of their presence. For instance, many organizations are not even aware of all the inventory in their environment. This may seem like minor issue, but an unaccounted rogue device on the network could be the entry point for hackers into the environment where they can then pivot to critical core systems. Being aware of one’s environment goes beyond identifying potentially unethical employees that can exfiltrate critical information assets and create serious financial, legal, compliance, operational and reputational risk. It also includes properly identifying operating systems that have rootkits planted by attackers. There is no room for complacence; the vigilance must be continuous.
Organizations enter into contracts with each other to provide services or products because there is fundamental trust that the relationship between the organizations would be beneficial. In fact, it is the establishment of trust that makes it possible to execute transactions. However, it is also important to know that trust can be easily abused. Unfortunately, most fraud arises from an unethical person taking advantage of someone’s trust. Organizations hire employees because they trust that they will be committed to the organization’s mission and ethical values. Nevertheless, organizations risk unknowingly trusting their enemies who can bypass data loss protection controls and export data without suspicion. How can you suspect someone you trust? How can you determine whether you have placed your trust in a trustworthy individual? It is essential to continuously be aware of one’s environment; the awareness must be dynamic and never taken for granted.
Social engineers have mastered taking advantage of trust. A victim has to trust the conman for any tricks to be successfully executed. But how can you establish trust in your environment? Organizations must perform due diligence. Thorough background checks on all employees should be completed. However, since human behavior is fluid and unpredictable, organizations should strive to continue using logical controls to monitor employees’ access to systems used within the enterprise environment. This effort to monitor can help an organization maintain reasonable awareness of its environment.
Third-party software can also create risk as it could create backdoors for threats. But how much due diligence can one perform without access to the source code? Should organizations rely solely on open-source enterprise software so that they can trust the software they are using? This is what the board of directors that sets forth cyberrisk appetite and tolerance levels needs to determine. When the board of directors authorizes senior management to acquire enterprise software, it needs to decide what kind of due diligence will be performed before trusting the vendor and committing financial resources.
From the stories that we hear each day about ransomware attacks and rogue employees betraying their employers, my grandfather’s wisdom still rings true. It is essential to be aware of your environment and place your trust with caution. Due diligence should always be performed and you should continue to diligently monitor your environment. Boards of directors should make resources available to senior management so that they can support the continuous monitoring of their enterprise environment. As long as cyberrisk professionals remain vigilant and aware of what is happening in their environment, they can be prepared to identify and mitigate threats that appear innocuous. What I have learned is that useful information and words of wisdom can come from the humblest sources; therefore, it is always helpful to stay alert and know what is happening around us.
Editor’s note: For further insights on this topic, read Allen Ari Dziwa’s recent Journal article, “The Invisible Enemy Within: Insider Threats,” ISACA Journal, volume 5, 2021.
ISACA Journal Turns 50 This Year! Celebrate with us—and don’t forget you can still receive the print copy by visiting your preference center and opting in!