Trusted Insider versus Insider Threat: A New Model at nbn

Darren Kane, Chief Security Officer, nbn^™ Australia

Many modern mature organisations have an Insider Threat Program. But why call it that?

Most organisations will readily acknowledge that people are their greatest asset. We invest time and resources finding them, completing due diligence on them, attracting them to our organisation and, ultimately, paying them. We train and nurture them. We trust them with building access, system access and corporate knowledge. They will be the basis of the success of our company.

However, the irony is that while recognising the value of their people, most organisations readily bestow a title with such negative and untrustworthy connotations – Insider Threat – to a program designed to assist an organisation to perform better.

At nbn, we have taken an inverse view of that philosophy with our ‘Trusted Insider Program’ that aims to protect employees and the company from external and internal threats.

This approach allows our people to buy into the ‘Security is everybody’s responsibility’ mantra and affords our C-suite visibility on the added value the security group provides our organisation.

These types of programs are largely misunderstood, and the ‘Insider Threat’ name does not help that cause. Our people are the lifeblood of any organisation, and nbn is no different. nbn has a talented workforce of around 6000 that is vital to our success in providing access to high-speed broadband for all Australian homes and businesses.

Having established a ‘converged model’ in 2015, where a single role has remit for both cyber and physical threats, our job in security is to protect our people and the company itself from all reasonable threats. After all, these threats can materialise against any organisation in many forms.

Internal threats come in different forms: Compromised staff can become victims of phishing attacks or social engineering, inadvertent events by staff who may have mistakenly sent valuable data outside an organisation, or even malicious activity by staff who steal or disseminate valuable intellectual property or customer records for the purposes of identity theft.

Negating physical security threats requires absolute vigilance. There is no silver bullet, and maintaining physical security usually comes down to doing many little things well

Negating physical security threats requires absolute vigilance. There is no silver bullet, and maintaining physical security usually comes down to doing many little things well. This can include vigilance about company information in public places, being aware of the risk of being ‘tail-gated’ through security checkpoints and mandating that all staff clearly display their security pass at all times.

Our approach is to treat our staff as trustworthy but to have the appropriate systems, intelligence, and analytics in place across both our cyber and physical domains to ensure all incidents are detected and dealt with in a timely manner. This is why we do not believe in the title ‘insider threat’ but prefer the more positive notion of the Trusted Insider.

nbn’s Trusted Insider Program focuses on cyber defence, intelligence and behavioural insights, and investigation teams. The program is the hub of the nbn security strategy and operations, but effective programs are far broader than just detection and protection. They must cover the entire employee lifecycle: suitable background checks, onboarding of staff and third-party contractors, to contract management and asset management, right through to off boarding of staff from the company.

By taking this approach, nbn’s Trusted Insider Program is a business enabler. It provides a return on investment by providing insights into key areas of the company, such as reconciling redundant mobile phones in the fleet against billing data or providing true reflections of third-party software to ensure annual renewals are reflective of those that are actually required and approved for use.

It is this broader remit of being a protector as well as a business enabler that gives our organisation’s leaders comfort and a true understanding of the value a progressive, proactive security group.