Corporate insiders, in the form of employees, have access to cause significant damage and steal sensitive company information. In fact, the biggest internal risk at any organization is the workforce that has access to critical business systems. While most employees have good intentions, many make mistakes. And then there are others who are malicious and are intent on committing fraud for their own financial gain.
According to recent research from Forrester, insiders are responsible for more than half of data breaches. Other research indicates that insiders are responsible for 60–75 percent of all cyberattacks. It also looks like 2018 may be one of the worst ever for data breaches and that “insiders posed the biggest threat to data.”
While the motives and actors behind insider threats may vary, what we know for sure is that it is critical to take internal security seriously and take steps to prevent internal risks. Sadly, most breaches that happen within an organization aren’t discovered until long after they have occurred, while a strong prevention program could have spotted the risks before they became a problem. The following measures can help companies get ahead of the insider risks before they escalate to a crisis of fraud or data leaking.
Develop an Insider Risk Program
Your first step for mitigating insider threats is to get ahead of them with a formal program for detecting and preventing incidents. In their guide to preventing insider threats, Carnegie Mellon University’s CERT Insider Threat Center recommends any insider threat plan should include the following components: directives, authorities, mission statement, leadership intent, governance and budget.
Your program should include a detailed response action plan to be implemented if an incident occurs. It should offer instructions for a timeline of actions in the event of an incident and communication with appropriate stakeholders. It should also be clear on when and how to alert the entire organization if it becomes necessary.
The plan should also be a living document that can be changed as appropriate after an incident has taken place to reflect lessons learned. Further, it should have expectations for organization-wide participation, which brings us to tip two.
Build a Dedicated Insider Risk Team
Part of your insider risk plan should include a dedicated team that can work on strategies for identifying and mitigating insider risks within the organization. This team should represent the entire company for a holistic approach and should include both technical IT and security teams, as well as non-technical stakeholders such as executives in the C-suite, along with human resources officials and legal counsel.
It’s not necessary for these roles to be full-time dedicated positions, but should include stakeholders from multiple parts of the business who can build time in to serve on the team on a regular basis. Collaboration is key to staying on top of insider threats.
In this excellent guide to building an insider risk team, CSOonline offers detailed information about what each member of the team should bring to the table, as well as how duties should be divided.
Identify Your Critical Assets
You know you’re on the lookout for insider threats, but what are you trying to protect? You need an immediate stock of the assets in your business that are sensitive, or that impact mission-critical functions. Identify these and decide how to protect them as part of your internal risk plan.
According to the CERT insider threat guide, these assets might include patents/copyrights, corporate financial data, customer sales information, human resource information, proprietary software, scientific research, schematics, and internal manufacturing processes. But it will be highly individual based on the organization. Your list may look very different from another business.
Get on top of understanding your assets with a risk assessment and thorough inventory, and then determine which are most at risk of insiders access. From there, develop a plan for protection by priority and identify high-risk users who might have access to the assets in question. How will you ensure appropriate access? The next suggestion addresses a solution.
Lean on Solutions to Monitor Employee Actions and Keep Duties Segregated
In a recent paper from the SANS Institute, researchers note it is “imperative that companies implement internal controls to monitor, detect, and prevent access to sensitive resources to only those individuals who require it to perform their specific job function.” This means locking down access with solutions that will address segregation of duties (SoD) among employees who might otherwise use their access to commit fraud or theft.
SoD vulnerabilities are often overlooked, leading to opportunities for malicious insiders to commit crimes or for unintentional mishaps to occur. According to Gartner’s 2017 Market Guide, effective segregation of duties controls can reduce the risk of internal fraud by up to 60 percent.
It is vital for organizations concerned about insider risk to come out for the dark ages and invest in solutions that can automate the analysis of SoD and raise the flag on suspicious or unusual activity.
Create a Culture of Awareness
As mentioned previously, sometimes the internal risk is not a bad actor trying to steal or do damage, but a well-intentioned employee who has made a mistake. Results of research from Kaspersky found 88 percent of employees were not fully informed about their employer’s security policies and remain a top cybersecurity risk factor.
A comprehensive awareness program educates employees on secure behavior so they are less likely to engage in unsafe practices. A good awareness program also gives employees guidance on what suspicious behaviors to look for among other workers so they can assist with identifying insider threats within corporate walls.
Document, Then Enforce Policy
If employees have no idea about corporate security policies, as just mentioned, how can they engage in secure behavior? The onus is on company leaders to document expectations for security, and then enforce those policies if they are violated.
Even if it’s an unintentional slip up that leads to clicking on a malicious link, if employees are not up to speed with policies and controls, they are at a severe disadvantage — and so is your organization due to their lack of knowledge.
Clear explanations of policy, along with the awareness training already suggested, can keep unintentional missteps to a minimum. And, while it might seem obvious, a policy should also address the penalties and fall out for any intentional violations too. This protects you if law enforcement and litigation ever become issues after an incident.
Examples of the kinds of policies that should address secure behavior include an acceptable use policy, intellectual property protection policy, secure employee behavior policy, password update policy, and a reporting policy, just to name a few.
Promise Employees Confidential Reporting
While insiders are your biggest risk, they are also your top asset when it comes to uncovering fraudulent or malicious insider behavior. Although it’s often overlooked, you companies should have a reporting system in place so that employees know they can come forward to alert management about anything they might observe that seems off — or insecure. Assure employees that they can report anonymously and without fear of reprisal and then ensure that potential whistleblowers will have protection should they need to report in the future.
The numbers don’t lie. Internal risks and protecting against them should receive equal weight with external threats in any cybersecurity strategy. There is more complacency around taking action against internal threats simply because companies don’t take them seriously enough or believe they can’t happen at the hands of their own employees. That’s a fallacy that can lead to a big security fail.