Insider Threat

By Jason Wood

Examples abound of companies recently having become victims of malware, cyber-criminals, hackers, hacktavists, insider threats, terrorists, and even nation state actors resulting in loss of personally identifiable information, proprietary information/intellectual property, personal financial information, personal health information, and other sensitive data.

In order to counter these, now common cyber threats, corporations have dedicated information technology staffs who implement a layered approach to information security; convinced that regular back-ups, encryption, antivirus protection, IDS/IPS, firewalls, and employee training is all that is needed.

The trouble is, not every company has the right protection in place, too much time and effort is spent trying to protect everything equally, budgets are too tight, and oftentimes companies lack technically proficient IT personnel with the right training. Some companies, from the CIO on down, are so focused on providing service solutions to their business units they fail to actually address the vulnerabilities of the organization’s interwoven network of servers, firewalls, desktops, personally owned devices, and in some cases point of sale terminals.

There are several options available to obtain a report on the reliability and resilience of your corporate network:

  1. Obtain information solely from in-house IT personnel – this group has the most knowledge and familiarity of your network and your corporate reporting requirements.   This group, or individual depending on the size of your IT staff, also has a vested interest to ensure company decision makers believe the network is well protected, sometimes as we find out after the fact, even when it is not.
  2. Receive information from your in house IT personnel based on work done by an outside auditor or security service provider. This will ensure your company is in compliance with regulatory requirements mapped to PCI DSS, FISMA, GLBA, SOX, ISO 27001 and/or HIPAA. As can be noted from recent news – compliance with the standard is no guarantee against data breaches.1
  3. Acquire the services of a third-party security firm with a reputation for their capabilities, experience, and with the ability to work with existing information security teams – cooperative not competitive. Preferably a regional company with international experience and not a re-seller of other IT services, software, or hardware. A firm that will quickly grasp your IT environment as well as your company’s culture. A team that is able to address the concerns and communicate openly with company executives and technicians. And, always look for a company that is truly vendor agnostic – not a value added reseller or in any way reimbursed or compensated for using a specific product or appliance.

So, to get to the point, what are the benefits of an outsider looking in? The most obvious benefit is in receiving a truly unbiased and objective third-party evaluation. An evaluation based on the factual conditions of your IT environment, your cyber risks, and your cyber response readiness. Additionally, most companies are just now developing a cyber-risk management process and are nowhere near the level of sophistication required to adequately protect their critical data. Companies oftentimes lack the expertise to build a high-security road-map and in some cases corporate and IT leadership won’t make decisions because they fear making a bad decision. This is where an outside security firm can really prove beneficial as they bring recent experience from various industry sectors and provide insight as to what works and what does not work – from actual experience not from being well read. Whether a company believes they are secure or knows they are challenged with the way ahead in cyber-defense, an outside technology focused security firm may have the most impact in reducing the overall level of threats associated with cyber attacks. 2

Corporate leadership, to include board members, must take notice and challenge the status quo within their own organizations. The mere interest of executive leadership will not necessarily “fix” the problem, although heightened awareness within an entity’s governance body will incentivize the rank-and-file to address these issues.

While the financial investment in, and deployment of, newly developed defensive technologies is important, it is more critical for board members and executive leadership to initiate an “Engagement Strategy” – this is after all, about protecting shareholder value, shielding corporate reputations, and enhancing long-term profits – protecting your network is simply a good business decision.3

About the author: Jason Wood retired as a Chief Warrant Officer 5 from active duty Army in 2013. He served 25-years as a Counterintelligence Special Agent with leadership assignments at Defense Threat Reduction Agency, the White House Military Office, and the US Army Intelligence Center and School.   He is currently employed as the Director of Operations at SpearTip.

SpearTip is a cyber counterintelligence firm located in St Louis, MO with offices in Dallas, TX and Washington D.C. SpearTip’s mission statement is, “Blending cutting-edge technologies, unique skill sets, and military-proven cyber-counterintelligence strategies, SpearTip partners with our clients to protect shareholder value, shield corporate reputations, and enhance long-term profits.”

1 Vijayan, J. (2014, February 3). Despite Target data breach, PCI security standard remains solid, chief says. Computerworld. Retrieved May 19, 2014, from

2 Chinn, D., Kaplan, J., and Weinberg, A. (January 2014). Risk and Responsibility in a Hyperconnected World. World Economic Forum in collaboration with McKinsey & Company

3Damouni, N. (2014, May 30). U.S. Companies Seek Cyber Experts for Top Jobs, Board Seats. Reuters. Retrieved June 2, 2014 from