A new self-assessment tool aims to help public and private sector organizations assess their level of vulnerability to insider threats, according to the United States’ top authority on cybersecurity.

The Cybersecurity and Infrastructure Security Agency’s Insider Threat Risk Mitigation Self-Assessment Tool, prompts users to answer a series of questions and then offers feedback that helps measure cybersecurity risk posture, the agency – which is part of the Department of Homeland Security – said in a statement released Tuesday.

CISA says the tool will help users further understand the nature of insider threats and take steps to create their own prevention and mitigation programs.

David Mussington, CISA’s executive assistant director for infrastructure security, says of the new tool: “While security efforts often focus on external threats, often the biggest threat can be found inside the organization. CISA urges all our partners, especially small and medium businesses who may have limited resources, to use this new tool to develop a plan to guard against insider threats.”

The CISA official notes, “Taking some small steps today can make a big difference in preventing or mitigating the consequences of an insider threat in the future.”

‘Institutional Knowledge’ Poses Risks

In its announcement this week, CISA notes that “insider threats can pose serious risk to any organization because of the institutional knowledge and trust placed in the hands of the perpetrator.”

CISA officials acknowledge these threats stem from current or former employees, contractors, or others with “inside knowledge.” Consequences, they warn, can include compromised sensitive information, damaged organizational reputation, lost revenue, stolen intellectual property, reduced market share or physical harm.

A recent report from the Ponemon Institute, based on responses from more than 1,200 IT and security practitioners, found that 53% of the companies represented by the respondents “find it impossible or very difficult to prevent an insider attack when data is being aggregated.”

The report also found that nearly half of the companies represented “find it impossible to prevent an insider attack at the earliest stages of the insider threat kill chain.”

According to the report, “The vast majority of security threats follow a pattern or sequence of activity leading up to an attack, and insider threats are no exception.” It cited Lockheed Martin’s Cyber Kill Chain and the MITRE ATT&CK Framework for recognizing the stages of an external attack, but adds “human behavior is more nuanced than machine behavior” and so insider threats “require modern approaches to combat.”

‘Excellent Resource’

Discussing the launch, Doug Britton, a former Russian linguist and interrogator in the U.S. Army, says, “This [tool] is another excellent resource released by CISA [which is] providing valuable resources that can truly be ‘Day One-ready’ and actionable for businesses of all shapes and sizes.”

Britton, the CEO of Haystack Solutions, which partners with corporations, education and workforce development organizations regarding cyber talent, adds, “CISA’s new tool set is a solid approach to preparing and hardening systems against internal threat actors.”

But John Bambenek, principal threat hunter at the firm Netenrich, brings up a possible problem, saying, “The tool can be valuable for companies with GRC teams that can make use of the findings of this report and implement the appropriate controls. The problem is that many companies don’t have or can’t afford a GRC team. Even some who can likely can’t implement the kind of controls this tool would suggest.”

CISA’s ‘Rumor Control’ Site

In other CISA news, the agency’s director, Jen Easterly, confirmed at the Aspen Institute’s Cyber Summit this week that CISA will sustain its “rumor control” website, which aims to combat disinformation and misinformation around elections. The site previously drew the ire of former President Donald Trump, who cited electoral fraud and later ousted top CISA officials in the days following the 2020 presidential election – including former Director Christopher Krebs.

CISA says the page, launched in 2020, “is designed to debunk common misinformation and disinformation narratives and themes that relate broadly to the security of election infrastructure and related processes.”

CISA adds that it “addresses election security rumors by describing common and generally applicable protective processes, security measures, and legal requirements designed to protect against or detect large-scale security issues.”

Speaking on Wednesday, Easterly said, “[As] the sector risk management agency for election infrastructure, we are here to help, to make sure that state and local officials have the resources they need to be successful.”

She added, “We’re in particular looking towards 2022, to make sure that state and local election officials have everything they need. [And] when I looked at this as a private citizen, I saw what CISA was doing, which is really making sure that the American people have the facts that they need. I worry a lot about misinformation and disinformation as a citizen, but also as a mom.”

“If you don’t have the facts, if you don’t have the best information, you can’t make the best decisions,” Easterly said, outlining the agency’s efforts to avoid malign influence on elections. “So we are going to continue with ‘rumor control’ and we’re going to continue with some innovative things we do.”