Public Safety Canada (Public Safety) recently released Enhancing Canada’s Critical Infrastructure Resilience to Insider Risk, a guide designed to assist Canadian organizations in developing effective programs to mitigate and respond to security threats from insiders (Guide).
Critical infrastructure is broadly defined as “processes, systems, facilities, technologies, networks, assets and services essential to the health, safety, security or economic well-being of Canadians and the effective functioning of government.” Public Safety’s focus, in recent years, has been on the potential disruption of critical infrastructures that could result in loss of life, adverse economic effects and significant harm to public confidence.
In this regard, Public Safety has identified the following 10 industries with critical infrastructure that requires security partnerships between governments (federal and provincial) and industry stakeholders: health, food, finance, water, information and communication technology, safety, energy and utilities, manufacturing, government, and transportation.
Public Safety has been increasingly focused on cybersecurity of Canada’s critical infrastructures and has published several guidance documents to assist organizations with their cyber preparedness. While this guide focuses primarily on insider threats, it does recognize the growing role of cyber threats, and many of the recommendations apply both to physical and cybersecurity.
The Guide defines insider risk as anyone with knowledge or access to an organization’s physical or cyber infrastructure, having the capacity to damage the organization’s employees, customers, assets, reputation or interests. Risks from insiders arise from an organization’s employees, partners, associates, third-party service providers and external organizations with access to the internal network, resources, personnel, facilities and digital assets. It provides several “quick wins” that are organized under three broad themes, summarized below.
ESTABLISHING A CULTURE OF SECURITY
The Guide recommends that organizations have policies, procedures and appropriate controls for organizations to create a culture of security that places responsibility on all employees. Senior management’s engagement and accountability is the cornerstone of employee buy-in. Security should be championed by a senior executive responsible for developing a security policy with support from a working group consisting of human resources, legal, privacy, communications, technology and security.
It also recommends developing clear security policies through employee education, training and screening measures. These should apply to all employees, contractors and subcontractors, and should minimally include:
- Pre-employment screening that varies with the level of risk assessed for the position; positions with greater access to sensitive information should be subject to more rigorous security checks
- Employee screening based on position requirements and assignment of appropriate risk levels equal to the critical data and areas that those individuals access
- Periodic position assessments to identify any changes to position responsibilities and adjusting the risk level where necessary
- Defining clear expectations in the security policies implemented by the organization related to account access management, password control, access to physical and digital areas, personal internet use and downloading/storing of personal data, regular employee training exercises, and corrective actions
To reduce risks from business partners, it is recommended that organizations build long-term relationships with key service providers. Prior to entering into these relationships, risk assessments identifying security concerns regarding access to systems and data should be undertaken. Analyzing the internal security of third-party service providers, including background checks of employees and establishing third-party security agreements, is recommended.
EMPLOYEES AS SECURITY RESOURCES
Employees are an organization’s largest asset in detecting and reporting potential insider risks. Periodic training, tests and employee assistance programs promote security vigilance by raising risk awareness and encouraging proactivity.
The Guide sets out a non-exhaustive list of characteristics and behaviours of insider risks that employees should be trained to recognize, including:
- Alcohol/substance abuse or changes in financial situation
- Argumentative/combative personality at work, disregard for policies/procedures or frequent attempts to access unauthorized assets;
- Absenteeism, unauthorized travel, termination or unexpected resignation
- Unauthorized contact with foreign representatives or competitors
It is also recommended that organizations establish a process for confidentially reporting and tracking unusual behaviour or potential incidents.
CRITICAL ASSETS POLICY
The Guide classifies a critical asset as anything that if altered or destroyed would impact the confidentiality or accessibility of essential services. It recommends conducting an organization-wide assessment to identify critical assets and protect them in the following ways:
- Monitor system and physical premises usage and what data is being sent to third parties and how it is being sent
- Apply the Principle of Least Privilege, which restricts individuals to the most minimal level of access required for them to effectively perform their duties
- Divide key functions among several people to make it more difficult for an individual to abuse sensitive information
Because security breaches often occur through remote access granted by the organization, it is important to establish procedures for tracking remote access and device endpoints. There should also be restricted access to critical systems to personnel physically located in the workplace, with remote access being granted cautiously and documented completely.
Organizations should ensure their critical systems and data are backed up with a recovery plan. This requires controlling access to physical backup documentation and data, with the following recommended security measures:
- No single individual should have access to both online data and physical backup media
- Organizations should require full disclosure from third parties of any subcontracted vendors providing services, including offsite storage
- Backup and recovery processes should be tested regularly
Organizations should develop and implement policies, procedures and controls regarding access to information and data. Where possible, monitoring and consolidating access points to the internet and transparent policies regarding social networking sites should be enforced, as any information posted on these sites is accessible. Limiting or restricting portable storage devices, particularly when connected to the organization’s network, is recommended.
Insider risk is a danger to all organizations but can be mitigated through implementing policies and actions that emphasize employee engagement, monitoring technology usage and data movement, and having backup and recovery plans in place. The holistic approach recommended by Public Safety begins before people are granted access to critical infrastructure and continues throughout that employee’s/third-party’s time with the organization. Where cost and resources limit full implementation, administering the organization’s most critical policies would be beneficial.