Most security-minded professionals think of a cybersecurity threat as originating outside the organization. But one of the most potentially damaging threats to your organization comes from insiders: people you trust. Insiders have authorized access to many of the corporate (or government) crown jewels. What’s worse is they know what and where those jewels are.
Consider this scenario: Your employee thinks he’s earned a promotion but is not selected. He decides the easiest way to get ahead is to go work for a competitor. Weeks before he turns in his notice, he copies your entire proposal archive to a thumb drive, and takes it with him to his new employer. Your competition now knows your pricing, your sales strategy, and your product roadmap.
Unfortunately, there are numerous real-world examples like this across industries. Theft of business strategy is just one threat that is universal in the corporate and manufacturing worlds. Specific industries like banking and finance have added insider threats such as financial fraud because opportunity may exist where someone is motivated to act. Carnegie Mellon University is working with the U.S. Computer Emergency Response Team (CERT) to analyze known insider threat cases in an effort to draw attention and understanding of motivation and opportunity and to help communicate important risk factors.
An active insider threat risk management program should be an integral part of security for every organization, and may be required if your organization does work with the U.S. federal government. Among the most critical steps to include in such programs are:
- Assessing current vulnerabilities and weaknesses
- Establishing effective insider threat-related documentation, policies and procedures
- Creating an insider threat steering committee that addresses and manages potential insider threat occurrences
- Encouraging information sharing between functional areas (e.g., human resources, security, legal, etc.)
- Training your workforce to recognize behaviors that are red flags for insider threats, and educate them on enterprise policies
- Deploying a comprehensive IT tool set with capabilities to recognize potential data loss scenarios, prevent the most common exfiltration activities and alert relevant personnel
- Investing in predictive analytics that can take streams of data from network monitors, physical security devices and (perhaps most importantly) human resources (HR) actions and use them to identify employees who are at highest risk for insider threat activities
- Measuring the effectiveness of the program by gathering concrete metrics on activities such as policy violations, data leakage events and even sabotage.
It’s important to understand that tools and technologies are only a small part of the overall process. Insider threats are human in nature, and require human intervention. Involving your HR and legal departments in all stages of the insider threat program will help you understand and prepare for the human element. It will also put HR in a position to help you identify at-risk employees before they take action, which means you can intervene with counseling and other assistance so the risk never escalates into an incident.
An insider threat program can’t be turned on in a day. It takes time to mature a program and attention to persevere and protect it. No one wants to think their trusted and valued employees are a threat and most are not. However, even long-time employees can turn sour if they think the company has done them wrong, and then take out their frustrations in very damaging ways.
An ounce of prevention is worth much more than a pound of cure. The good news is, a little vigilance and preparation can go a long way to mitigating the risk.