Transcript: How can we stop insider theft?

This automatically-generated transcript is taken from the IT Pro Podcast episode ‘How can we stop insider theft?’. We apologize for any errors.

Rory Bathgate

Hi, I'm Rory Bathgate and you're listening to the ITPro podcast where today we're discussing insider theft. In today’s economic climate, companies are looking to allocate resources as effectively as they can in order to keep costs low. In some cases, this has meant widespread layoffs of permanent staff in favor of greater reliance on third-party contractors and consultants. But this could open businesses up to insider threats. If untrustworthy parties gain access to crucial systems or get hold of information that could facilitate identity theft, firms could face real financial losses. Well-meaning contractors could also open companies up to security breaches by not following practices correctly, or accidentally exposing sensitive data. Today, we're speaking to Fran Rosch, CEO of digital identity specialist ForgeRock, about the pressing need for better scrutiny of third parties, and how companies can control systems access through identity governance. Fran, thanks so much for being on the show.

Fran Rosch

Thank you, Rory. Appreciate the opportunity.

Rory 

So just to start off with kind of a broad question, how big of a problem is insider theft right now?

Fran

Well, I think it's a huge problem right now. There was a recent report out by the Ponemon Institute that revealed that the insider threat, risk has actually grown 44% over the past couple of years. And these can be very expensive for customers. On average, it was about £5 million ($6.18 million) in expenses per incident. So these are rising in numbers and rising in significance.

Rory

What do you think is behind that rise at the moment, has there been a change in strategy of threat actors? Or is this to do with the strategies that firms are taking on?

Fran

Well Rory, I think you touched on this a little bit in your introduction. But when we look at the insider threat, we kind of put it into two categories: intentional or malicious insider threat, and unintentional or accidental, driven by sort of some sloppy behavior. And so you really have to look at those two very differently, and I think companies need to be able to create strategies that are going to protect against both of those because they're very different. So if we look at kind of intentional or malicious, I think that can be driven by a lot of different things. And I think one of the things, I'm based here in San Francisco, and what we continue to hear a lot about is layoffs. I think Salesforce mentioned about 10% of their workforce, Meta recently now up to about 21,000 employees, 18,000 at Amazon and Twitter, you know, has reduced their staff by about 50%. So that creates this kind of angst around these employees who are being let go, they've got to worry about their next jobs. So sometimes these employees will kind of think it's their right to take information with them. And that's kind of that intentional insider, who may be taking customer lists, or they can take code snippets that they've written. And they're actually taking intellectual property with them. So I think this environment creates that intentional malicious activity out there that companies really need to protect. And there's some ways for them to do it, which I'm happy to talk about a little bit. And then there's the unintentional, which is some of the points that you made; as we have reduced staff we're using a lot of contractors and supply chains who might not be as well trained in how to follow good IP practices related to their identity credentials. So you have to really understand they're both intentional and unintentional, and protect against both.

Rory

That's a great way of breaking it down. I think starting with intentional, what are some of the ways that businesses can mitigate against this?

Fran

Sure. I think like almost anything in the world of cyber security, it's a lot about layers. There's not going to be one thing that completely eliminates this challenge for companies. But when we talk to many of our customers it starts a little bit with the basics, which is reminding employees of their obligations. Like, prior to laying someone off or letting them go, it's good to remind them that this data is not theirs. It belongs to the enterprise. And a lot of employees will say, "Oh, I didn't know, I felt like I wrote that code", or "I felt like I those were my customers". So I think reminding them, I think is very helpful. I think there are little things like disabling thumb drives, and you know some enterprises still allow people to bring in thumb drives which can really be effective in downloading a ton of information quickly. So just preventing that, I think, is simple. I think there are also ways to kind of look at data protection, to be able to actually set flags when you see large amounts of data being moved, which can stop. But I think another really important element of this is just really understanding user provisioning. You know, when you think about large enterprises, thousands or tens of thousands of employees, the one way to control the risk of insider threat is to control the information they have access to. And in the industry, we kind of call that least privilege, and we don't give somebody access to all of the customer information or all the employee or the financial information unless they need it to do their job. So really understanding provisioning and governance and limiting that just really what people need to do their jobs, will reduce that threat of that malicious insider. So a lot of these things in combination can kind of help reduce that threat.

Rory

So would you say that, in many cases, it's more of an internal culture, an internal strategy problem that is maybe something that needs to be plugged into the stack or some something that needs to be overhauled?

Fran

I think it is cultural, reminding people of their responsibilities, but I definitely think there are technology solutions that companies need to deploy to be able to really truly protect themselves. And one area I talked a little bit about was that user provisioning. So for ForgeRock, we're a digital identity company. We help people understand what access their users have, and kind of let me give you some examples of that. So when you think about it if you're a salesperson, an individual salesperson at a company. And let's say you use Salesforce, you really only need access to your account information. And then if you happen to be the sales manager who's responsible for the western region of the United States, you only need access to that data. And then if you're the head of sales, you get access to everything. And what most companies do is they don't really have that kind of fine-grained permission, they just give people access to Salesforce. And that creates a risk where these junior employees can get access to more information than they need. So in ForgeRock, we have the technology and other companies as well, that can help you say, "Okay, based on this person's role in the company, whether they're in sales, or finance, or HR, or engineering, these are the applications that they should get access to". Based on their level of the company, individual contributor, middle management, and executive, here are the types of permissions they should get for those applications. And by leveraging technology, you can really limit your exposure, because you really understand who has access to what, and you're limiting the privilege to information unless it's absolutely needed for people to do their jobs. So it's really both a cultural as well as a technology solution here to help reduce the risk of malicious insiders.

Rory

I guess a question that comes to mind when you're talking about this kind of access management, especially when it comes to third-party contractors is, is this something that should be happening in the onboarding process? Or is this an ongoing process with a dedicated team that's constantly revising access?

Fran

It's really both. And we have customers that have, say, a couple of thousand employees. And they can have hundreds or maybe even a thousand applications. So that creates Rory, a web of literally millions of entitlement requests because you have to map all those users to all those applications. And these organizations are always in a state of change. They're always hiring new people, they're letting people go, and people are changing jobs. And this creates this need to constantly be updating your entitlements, and understanding who has access to what. And I think the legacy approaches to that challenge were very manual, right? You would kick off a review process where a workflow and somebody would go to their manager and say, "This person is now asking for access to this particular application, well should I approve or shouldn't I?" It was manual, or then people tried to get rules? "Well, if this person's in this job, then maybe they should automatically get access". But we think this is really a great application for AI technology, and machine learning, where you can start really looking across this vast population of users and understand their jobs and understand what applications they use to do their jobs. So you can kind of automatically determine what's appropriate access, and where you should give people access very quickly, because we all want people to be productive at work. We want them to have access to the applications and services they need to do their jobs but also recognize what is a risk or an over-entitlement and over-provisioning and block that at that time. So it is really very much of an ongoing challenge that you have to constantly be monitoring. And that's where we really think AI is, it's a great application for AI to be able to do that. You can run that AI, those AI tools against your existing install base of your employees, to kind of see what entitlements jump out as strange, as well as use it as an ongoing tool.

Rory

That's interesting, that suggestion of AI. In the introduction, I briefly mentioned the current financial hardships Some businesses are facing, and sometimes businesses are finding themselves in this situation as a result of cost-cutting. Do you think that you can both introduce new systems and cut costs at the same time? Or do you think that you have to cut the costs first, and then maybe these systems can be introduced down the line?

Fran

Yeah, I think that we feel like there's this philosophy, that technology has to have clear benefits to the company. And we look at benefits in three ways. They drive top line, right? Certainly in the identity space, creating identity experiences that are frictionless and easy for people can drive the productivity of the workforce, or can deepen relationships with your customers. Second, it has to be able to reduce costs. And third, it has to be able to increase security. And I think that any technology has to be looked at through all three of those lenses. And, you know, this case of deploying this type of technology can really save money very quickly. Because when you think about it, Rory, the old approaches I talked about were very manual, where people were spending time going through and looking at all these provisions and approving all these entitlement requests very manually. It takes a lot of time, companies literally have a dozen, a couple of dozen people, this is only their job is to look at these ongoing changes and entitlements. So by automating that, you can either reassign those employees to do something more productive or actually reduce your overall staffing in this particular area. So we think you can very quickly have cost savings, while most importantly, the topic of our conversation today, reducing the risk of these insider threats and the risk of information being stolen from the enterprise.

Rory

So, we've spoken quite a lot already about these intentional attacks, about preventing people from maybe having access to things that they shouldn't, or things that are outside of the remit of their role. But what about accidental threats, leaks that happen as a result of contractors doing their job poorly, or employees accidentally exposing systems that they have every right to have access to, but they're just not using the right protocols around them?

Fran

Yes, and the data we see actually shows that is a bigger problem, and a bigger threat. By and large, most employees just want to do their job, right? Most employees respect the rules and the organization, it's a very small number of people that are really going to be that malicious. It's this unintentional or accidental that is really a much larger problem. And the problem manifests itself in a way that we hear about with these big data breaches, right? Where, you know, thousands or millions of records are taken, or ransomware is perpetrated, and an organization goes down. These are things we hear about, right? Ransomware, big data breaches in the news. But if you look at the root cause of some of those, it is very much this unintentional type of insider threat. And the vast majority, 60, 70, or 80% of those somewhere in that process have a credential compromise where somebody, some criminal will get a hold of somebody's username and password, and they will use that to access the system. And then what they do, because these are really sophisticated attackers, they get in with that username and password, they crawl through the network, they find a server that's not been patched, that has not been updated. They compromise that server, they use that as their command and control center, they go out to the organization, they find the information, they extract it, and send it out where it can be compromised. So we think of the end state of that compromise, but it really is that initial identity that lets that happen in the bulk of the time. And that's these unintentional, where that happens. Unintentional can a lot of it be driven by the user themselves, but also the organization has somewhat of a responsibility because it can be really, the company's accident.

Rory

So do you think that there's a greater role for companies here to be engaging with employees on that level, whether that's education or whether that's stricter policies, better transparency around policies?

Fran

Absolutely, because when we think of this accidental user-driven compromise, a lot of it comes down to good old-fashioned phishing or spear phishing, or more sophisticated phishing where users get an email, they think it's from their colleague or they think it's from IT. And they give up usernames and passwords readily. And then that can be used. There's a way to teach people not to fall for those phishing scams. Even companies that have MFA, which we're strong believers in - the one great way to reduce this risk is to put in two-factor authentication. Not enough companies are doing that today, so we highly recommend that - but even that isn't perfect, right? I don't know whether you've heard of this MFA bombing that's come up, where even though you may get an MFA request sent to your phone to approve an authentication, people just keep hammering people's phones until users finally just give up and accept it which seems crazy to me because that seems like a clear indication of something going on. But this goes to the example of the sophistication of these users. Also, as you mentioned, vendors don't have that same type of loyalty to the organization. And we see so many times in these large enterprise breaches, it starts with a vendor that came in from the heating and air conditioning company, or the repair company and they have password '123' set, right? So they can share it with their people. And organizations can be so focused on their own employees, they forget that it doesn't take a lot of access for a cybercriminal to use that as a crack open in the door that then they can expose. So there's a lot you can do about employee education, to really understand these things and supplier education. But there are also technology solutions that you can put in place to protect against even really crazy unsophisticated user behavior.

Rory

On that point of keeping one eye on employees, but also still remaining vigilant over third parties, is this also an observability issue? Do you think that, I mean, we've seen over the last two years especially massive digital transformation, we've seen the widespread adoption of say hybrid cloud stacks expanding, people losing track of all of their silos, people losing track of all of their attack surfaces. Is that as much of a problem for insider theft, or is that more in the other realm of cybersecurity?

Fran

No, I think it is absolutely a challenge, right? That attack surface, the broader your attack surface is, the bigger challenges you have. So consolidation of systems and tools, consolidation of user data repositories so that you have fewer of those, is absolutely a good security practice that everybody should follow. I think your other point a little bit is alerting as well, being able to alert on some of these things is really important. And part of what we do is when you think of a digital identity experience, it's very much kind of a journey. You start with user registration, you register. I don't know about you, but during the pandemic, I probably set up 50 or 100, new identities during these times. And sometimes that was a really nice experience, sometimes it was really crappy. And we brought on a lot of new employees, and we didn't even meet, but we had to go through this enrollment process. And then people are going to access and wake up every morning as employees and access, and you can start developing a profile for that user to understand their normal behavior. And then if they start going outside of their normal behavior, you can alert the system. And we have a tool called auto access, that looks at all that information, develops this digital footprint, a digital fingerprint of the user, and their normal behavior. And if they go outside of it, then you can flag and alert and say, "Maybe that person's identity was phished". And now we can go really focused on that. So that whole kind of alerting is a really important part of any security solution in the combination of just reducing that attack footprint and attack surface.

Rory

That's interesting, that specific technological advance there allowing maybe better observability, more in-depth observability. I'm wondering, we've talked a bit about changing strategy, and we've talked about changing technology, but does it need to be a change in perception as well? Do you think that currently, this is enough of a topic in boardrooms? Do you think people are as worried about this as they should be? Or do you think that this is maybe being brushed under the rug a little in comparison to some of the other threats we've spoken about, like say ransomware?

Fran

You know, we actually see it as a pretty big top priority for organizations because, as you mentioned, we are going through this digital transformation. It's been going on for 25 years so it's not new. But I certainly think it's accelerating where we're starting to realize that the most important interaction that companies have with their customers is digital. It's not physical, it's not over the phone. It's a digital interaction, and their loyalty, their business, everything's going to be driven by the quality of that digital interaction. We also do is the same thing with our employees. We used to have our employees come into work, but now almost everybody is working from home. So all of the interaction with workers we've driven over that digital channel. And so we see more and more companies saying, we have got to prioritize this digital experience and identity is the front door of that experience. So it better be easy, it better be frictionless. But at the same time, they do also recognize that it is the number one attack vector, that it's a weak link. So I think it's become a really big board topic. And the way I think about it is that for the past 40 or 50 years, the paradigm which we've used to let people access this digital world is a username and password, right? And I think of that as a lose-lose situation. In my life, I try to create win-win situations wherever I can. This is a lose-lose, right? Because it's a really bad experience, I mean, who wants to go ahead and create another username and password, remember it, go through a password reset, and go get your phone and that whole thing? It's a really bad experience, and it's also really bad security. Because guess what, everybody reuses the same username and password as often as possible, they use the weakest one that they can get approved by the system, they write it down. Not enough people use a password manager. So you've got this situation where you've got this really weak link, and that's got to change. And I actually feel like that a lot of companies now understand the importance of digital transformation, and that identity is the front door, and it can be a huge security vulnerability. They're starting to prioritize it, along with a lot of other things within the organization.

Rory

Yeah, that idea of abandoning passwords is something we've discussed on the podcast fairly recently, in terms of alternatives of what you can bring in order to gain access. I'm wondering because several governments around the world are looking at digital identity schemes - here in the UK, there's been a lot of talk around it recently, the government's been trying to get that off the ground for quite a few years. I understand that in America, with the lack of centralized privacy regulation and so forth it's more of a mixed bag. But do you think that digital identity solutions are really the key here? And if so, is there a clear role for say, the government to play in helping to forge those?

Fran

It's a great question. And it is really an exciting time to be in digital identity. Because not only are we going through this world where I think it's time to eliminate the username and password right? And as you said, there are a lot of ways to do that for both consumers and employees. But I also think there is a way to eliminate all the number of identities that we have. I mean think about it, in every application you have to have an identity. As a consumer, you have to have one for every single business that you interact with so you have hundreds or hundreds of these things. And I think your point is, what if we had a single identity, right? Sometimes we call that in the industry 'bring your own identity' or 'self-sovereign identity', we have a lot of and we love to get a lot of words for everything here. But it is that concept of showing up at the front door and saying, "I'm not going to go through a registration process, I'm not going to go ahead and set up another identity username password for you. I already have one, and it's vetted by somebody you can trust". And I think that is the future. And I will tell you, Rory, it's not necessarily a technological problem. You know, I've been in this space for over 20 years. Before ForgeRock, I spent time at Symantec, and before that VeriSign which was very into identity and credentialing. And we believed in this concept 15-20 years ago of a driver's license for the internet, where you can have a single identity that somebody stands by, and I do think that's the future. I think there's a lot of work done by standards bodies out there that can make this happen. But I do think you're right, in that the challenge always has been more the ecosystem and the technology, who are going to be the trusted issuing parties? And then everybody, then the websites or the mobile apps become relying on parties. But that's work on that site to become a relying party, and you don't really want to do that work unless you really know that that issuing party is going to become really widely used. So you get this chicken in the egg that never gets going. And so I think you're right, that governments potentially have a big role to play in this just like they do today with driver's licenses, or health ID cards, or a pension, or Social Security. They do this all the time. So I think they have a big role to play. Now, in certain countries like America, we don't always trust our government as much. And they've not always been great stewards of keeping information safe, so there might be some reluctance there. But I think there are others, banks are very well trusted. Now look at over the past couple of days, we've seen that the banking system has its own challenges with some of the bank failures that we've seen. But they have a lot of really highly valuable, validated information about me. They know my address, they've done my KYC, and they vetted me. Telcos is another really good potential, right? You look at these telcos that have millions and millions of identity information. So I think they're, you know, e-commerce companies, social media again, not necessarily the most trusted but they have a lot of information. So Rory, what we believe ultimately is that through open standards and policies, there have to be several different credential issuers or IDPs identity providers. And as long as they follow open standards, then companies can go ahead and rely on them. So I think it's going to be a while, but I think we're getting closer and closer to this point where you can have a single identity to use across a network of websites. The other challenge here is the lawyers get involved. And there's a liability. So if this website relies on the fact that they say I'm 21 years old - of course I clearly am - but you know it relies on the fact that I'm 21 years old, and gives me access to that to say buying alcohol. And it turns out, I'm only 14, because someone made a mistake, who's responsible for that? So there's a whole kind of liability system as well. I think it's coming, I think we'll see the elimination of the username and password first, which will aid and experience and reduce some of that accidental, malicious kind of insider threat. And then, in the next couple of years, we'll see continued maturity of this idea of bring your own identity. And then you get this really wonderful world where you have a single identity, and no username and password, that'll be really beneficial for both employees of companies, as well as consumers of banking and shopping, and digital services online.

Rory

Just to bring that back to insider theft I guess the idea here, correct me if I'm wrong would be that you turn up, you can access it because you can because the system verifies that you've been assigned to that task or that system, and you can't give your credentials to anyone else because they're tied to you. And as a result you can't, say, leak a password, or have your account easily taken over in that way. Is that it? Would that be a correct assessment?

Fran

That's right, if you show up at the site you can be clearly recognized. Not through some antiquated username and password, but by a much more sophisticated way of the private key, a public key which we won't go into, pass keys. And then you think about that kind of AI system behind the scenes that's kind of created that digital fingerprint of who you are, so it can notify if you go out. So it's all this really smart behind-the-scenes way to know who you are. And then once it knows who you are, it has a very clear understanding of what applications and services you need to do your job, you will only have access to those things and you're not over-provisioned. So even if you are a malicious insider, there's only so much damage you can do to an enterprise, on top of all the other things we talked about with education, and data protection, locking down your system. So I think there is a way to really reduce the threat of both accidental and malicious insider threats.

Rory

Something I'm interested in, when we're looking at the sector-wide picture we're talking about, as it stands currently, where there is the need for teams alongside maybe automated systems to conduct these checks and for this governance to be carried out. Is the skill currently there? Is that is there the requisite talent for this? Or does there need to be a ramping up in security talent to facilitate a best-case scenario here?

Fran

I think that finding cybersecurity talent, it's really hard for people today. And so the more it can be automated, the better. But when you think about how people and managers typically manage these entitlement requests, there's usually a workflow, right? So I request access to an application, it goes off to somebody for approval. What typically happens is those managers, if you're not using some level of intelligence system there, can get inundated with requests. And they don't really have the time to evaluate each one of those requests individually, but they don't want to stop business moving forward. So what do they do? Click approve, click approve, click approve, click approve, and all of this access gets approved and you end up with this organization that's completely over-provisioned. And it's also not their job, right? I mean, their job is to do whatever, this is just a manager that gets sent these approvals. So you know, it may never go to zero. But if you can remove 90% of those approval requests through an automated intelligent system, and then the manager is only getting 10% it doesn't feel as overwhelming to them. So they can actually take the time to say, "Well why is this person asking for this?" Because the automated system has kind of flagged that is a higher risk type of thing. So yes, it is definitely overwhelming for users. And I think it's a process that can be removed from that manual workload.

Rory

Something I'm wondering, to maybe round off the discussion is right at the start of the episode you mentioned this quite a dramatic rise that we've seen in insider theft. Is this a rise that you think is likely to continue? Is this going to be a sustained increase year on year in insider theft? Or do you think that the technologies, the systems, and the education you're describing, are catching up here with the threat actors and with the accidental leaks?

Fran

I'm a glass-half-full person, Rory, I'm an optimist. I do believe that there's a lot of great technology out there that can help companies do this in a cost-effective way. We see a lot of leading enterprises adopting them today. So you know, on one hand, I'm very optimistic that this is a solvable problem, not 100%, but we can take out all but the top 5% of the most sophisticated attackers, we can remove most of it. So I'm optimistic in that way. But you know, it is not going to be happening tomorrow. I mean, we look at these, these layoffs that are happening, we look at the fact that so many companies are still using really simple identity solutions that don't have any of this technology. And the bad guys are going to continue to target that. And that's why we see some of these ransomware attacks are not happening at the biggest banks in the world, and huge security organizations that keep them safe. They're happening at local hospitals or local school districts, which don't have the types of IT organizations in place to be able to do that and who haven't implemented all this technology. So I actually think we as security vendors have a responsibility to make our technology available and make it cost-effective for all types of organizations to implement, because it just takes a weak link to cause these issues. So I'm an optimist, and I think we can solve this.

Rory

Well, Fran, thank you so much for your time.

Fran

Thank you, Rory, I really appreciated the conversation today.

Rory

As always, you can find links to all of the topics we've spoken about today in the show notes and even more on our website at itpro.com. You can also follow us on social media, as well as subscribe to our daily newsletter. Don't forget to subscribe to the ITPro podcast wherever you find podcasts. And if you're enjoying the show, why don't tell a friend or colleague about us? We'll be back next week with more from the world of it. But until then, goodbye