Risk Management and Insider Threats

Insider threats and counter-intelligence sound like topics of an episode of “NCIS,” but both items prove important for every company and organization. Whether you own a small business or major corporation, you need to implement protections against insider threats and a plan for how to deal with them.

A 2012 survey uncovered that more than 50 percent of organizations experienced an insider event during the year. Published as the 2013 US State of Cybercrime Survey, the report continued to explain that more than half of the affected organizations said the insider attacks caused more damage than any outside threats had. Each year, about one-quarter of US electronic crime events consist of an insider threat.

What is an insider threat?

An insider threat, often also referred to as a malicious insider or negligent insider, encompasses many types of individuals. While both present a danger, the two types differ in the danger types as well. The less egregious is the negligent insiders.

Negligent Insiders

Negligent insider refers to employees or contractors who allow unwanted access to your company’s data accidentally. They did not mean to, but they probably clicked on a link in an email that infected the system with a Trojan or virus. They might have left a work laptop open while at a coffee shop, allowing access to an unauthorized person when they got up to fix their coffee or use the restroom. Training can easily negate these negligent employee actions.

Malicious Insiders

The malicious insider infiltrates areas of the system in which they are unwanted or unauthorized. They hack into the system or they install a key logger to another person’s computer. Perhaps they pilfer data and files they were not meant to have.

Whether malicious or negligent, the bad actor insider negatively affects your organization’s security by threatening your system, data, or day-to-day business operations. As long as you catch it quickly, the IT department can typically mitigate the negligent insider’s activities the same day they get discovered. Most viruses or Trojans prove easy to remove with standard security software and/or anti-malware software tools.

The effects of malicious insider prove a greater challenge to mitigate. You may not know they planted a key logger or stole files for some time. Your discovery may only occur when they try to blackmail you or they use the information in a smear campaign of the firm or specific employees.

Protecting Your Organization

Another publication, the 2019 Data Exposure Report from Code42 provides suggestions for organizations to better protect themselves from harm. The report draws its conclusions from the 1,643 respondents to the 2019 Data Exposure Report.

1. Require employees and contractors to use company email and social media accounts to share company data. The survey revealed that 43 percent of employees use a personal email address and 31 percent use social media to share company data. They should use company communications to share information. They can retweet/repost the information from their personal account which helps the company’s branding, too.
2. Institute a user education program that educates users to the dangers of clicking on links in emails that they do not recognize or links that seem questionable. Between 43 to 49 percent of survey respondents admitted to having clicked on links in phishing emails or in messaging that they should not have. The result was an infected computer system.
3. Educate employees about the seemingly innocuous activities that can lead to data breaches. About half of the 38 percent of respondents who reported a data breach in the 18 months prior to the survey said an employee action caused the breach.
4. Author strict business processes for your organization and specific workflow with a clear emphasis on security awareness. Lock this in by using workflow software that tracks the use and ensures that all employees use the software to accomplish the work. Of the respondents, 77 percent stated that employees sometimes used any software or process they saw fit to do the work, putting the organization’s security in jeopardy in the process by flouting “data security protocols or rules.”
5. Institute a data protection plan to block employees from saving files to personal flash drives or cloud services. All work should take place in the company cloud and via organizational emails. Departing employees often take data and files with them, according to the survey respondents, 63 percent of whom admitted they had taken data from past employers. More than a third say colleagues did the same.
6. Have employees sign a loyalty oath and a work for hire statement. Have independent contractors sign a work for hire statement. One of the reasons survey respondents stated they felt they could take the data and files was the feeling of personal ownership of projects they had. More than 70 percent agreed with the statement, “It’s not just corporate data; it’s my work and my ideas.”
7. Transparency makes all the difference in your new insider threat program. Rather than a covert program, use honesty. Explain to employees the risks and why you will implement the program. Understand well before you create it the difference between employees and independent contractors. You may not legally observe the activities or work of an independent contractor nor can you mandate the software or workflow they use. To do so would violate Internal Revenue Service rules and codes, putting you at risk of tax evasion of payroll taxes. Independent contractors retain their total privacy, set their own hours, work on their own computers and servers. Any observation of their work process violates privacy laws. Setting their hours or work means or processes, etc. violates labor laws. Consult an attorney before you create any program or define work processes.

Insider events can result in more serious damage than an outside hacker. You can easily protect yourself and your organization though, using the right processes, procedures, and a transparent threat program. Provide employees awareness trainings and security training so those with physical access understand the importance of following proper procedures. Consulting with your attorney can help you comply with the law in relation to what you can mandate for employees versus contractors. You can protect your sensitive data using threat programs that track user behavior. Train security teams in incident response to deal efficiently with both negligence and malicious intent. Your security program should include behavior analytics and access management.