Businesses are increasingly waking up to the insider threats that pose significantly risk to data and business security.
A recent survey of security professionals conducted by Intel and McAfee found that internal individuals were responsible for 43% of all serious data breaches experienced by their businesses. Of these, just over half (22% of the total) were caused by intentional, malicious actors; the rest (21% of the total) were caused unintentionally. 68% of these breaches were serious enough to have a negative financial impact or require damaging public exposure.
Additionally, the 2015 U.S. State of Cybercrime Survey found that 45% of respondents believed the damage they received from insider attacks was more severe than those that originated outside the organization. Although a data leak caused by an inside threat has much the same effect as an outside hack – information ends up where it shouldn’t, and your business is subject to fines and remediation costs – the result can be worse. The perpetrators often have significant access and the ability and knowledge to do more damage to your business than outside attackers. In the case of employees with a personal grudge, they may also be more motivated.
The other key difference between insider and outside threats comes in how you prepare for and prevent the threat. With almost half of all these threats caused accidentally, training and procedures take on a new importance in protecting your organization. Non-IT roles, such as HR and management, also have a bigger role to play, since the threats are employees and team members within your organization. Sometimes a threat will be averted by an eagle-eyed employee noticing odd behavior, rather than through examining server logs.
What Threats Are You Up Against?
Insider threats cover a broad range of different activities and can come from anyone in your organization. The crimes are not necessarily technical sophisticated in nature and do not have to come from someone in your IT department: the cleaner who steals a laptop and sells your data can be just as damaging as the disgruntled IT professional who steals data from your servers.
Broadly speaking, malicious attacks will fall into three categories:
- Theft of data – including customer data and intellectual property.
- Acts of sabotage – in which insiders misuse your own IT to hurt your business
- Fraud – in which your data is modified, changed or stolen for that individual’s own profit – such as in the case of credit card fraud.
Unintentional threats are similarly diverse:
- Losing physical records and equipment – including negligent behavior that results in them being stolen.
- Accidental disclosures – in which information is given to the wrong people, either by email, mail, or personal communication
- Succumbing to social scams (phishing) – when access or information is gained by an outside individual under false pretenses.
Protecting Your Business Against Insider Threats
Most insider threats are preventable with the right training and procedures. This guide, of which you are reading part 1 (part 2 will be published in the coming days), provides essential steps that will help prevent insider attacks in your organization.
1. Establish a Cross-Departmental Team Responsible for Implementing Your Insider Threat Security Policy
Protecting your organization from insider threats goes far beyond your IT team, often requiring information and input from HR, Legal, IT, Data Owners, Security, and Senior Management.
Organizations face two main challenges in this area. The first is the incorrect assumption that your IT team have total responsibility for data security, when a cross-departmental effort is far more effective. The second is that many of departments hold information that could be useful for detecting and preventing insider attacks, but that information is stuck in silos and not shared.
The solution is to form a team representing several departments who together share information and take responsibility for updating and implementing your insider threat security policy.
The benefits of such a team are clear. Consider the following example: an employee’s behavior is brought to the attention of HR, who discover that he is under extreme financial hardship and stress due to his spouse’s recent job loss. The employee is in a position that enables them to access credit card information that could be either sold or used fraudulently, so the consequences of an attack are very high. In response, the insider threat team examines their current and past activity to ensure that there is no evidence of wrongdoing.
Without a team sharing information, this risk may not have been uncovered. Of course, proper procedures must be put in place by HR and legal to ensure that confidentiality and privacy are assured – many potential risks will not develop into true threats.
- Break down silos by creating a cross-departmental team responsible for responding to insider threats.
- Your team should ensure compliance with your security policies at all times and in all areas of the business.
- Provide a confidential system that allows whistleblowers to raise concerns.
- Work with HR and legal to protect the privacy and rights of any individuals suspected of being an insider threat.
- Prepare for future data leaks and put that plan into action should a threat materialize.
- Coordinate security training across the organization.
2. Work with HR to Reduce Risk Through Effective Training and Recruitment
Insider threats are unique in that they are (intentionally or not) created by your co-workers. This makes your HR department a very important part of protecting your organization, as they are the team most likely to be informed if someone starts acting out of character or is experiencing personal circumstances that might make them a higher risk to your organization. This unique role played by HR can protect your business through the employee’s complete lifecycle at your business – during the hiring process, through their career, and during the leaving process.
HR’s role begins during the hiring process when they should be using background checks to verify their identity and past employment (including for any competitors, which could increase the risk of corporate espionage), check their credit (money problems could increase the risk of fraudulent behavior), and check any criminal convictions.
Once an employee has been hired, HR provides two main functions relating to data security. The first is to ensure, in conjunction with management and IT, that employees follow the security policy and strongly encouraged to improve if they fall short. It is important that small breaches and bad habits are not overlooked since this will only encourage employees to continue to flout policy.
The second function is to report on behavior that indicates an increased risk of becoming an insider threat. This behavior may be linked to an employee’s personal circumstances, their attitude towards work, or how they interact with their colleagues.
Finally, HR have an important role to play in coordinating the transition of staff members from employment to post-employment and ensuring their access to secure data is removed. Depending on the circumstances of the employee leaving and the data they have access to, their permissions may need to be removed before the event occurs, to prevent any chance of an act of retribution. It is not uncommon for employees to be escorted by security to ensure the safety of the business.
- Use the unique skills and knowledge of HR to spot and prevent insider threats.
- Use background checks and the interview process to check for possible signs a person may be a risky hire.
- Check local law before conducting background checks – you may be legally obligated to inform the interviewee that you are doing so.
- HR professionals must ensure that security policies are followed and bad habits are discouraged.
- Coordinate with IT to ensure post-employment employees do not pose a risk.
3. Don’t Forget Physical Security
With so much emphasis put on protecting businesses against hacking it can be easy to forget that physical security is just as important for your information security as your firewalls and passwords. The information held on your servers, laptops, tablets, smartphones, and USB drives are all easier to extract with physical access, and physical documents are particularly vulnerable.
Physical security is made harder by the fact that most facilities are designed with functionality in mind, with security rarely being a design priority. Just because someone is employed doesn’t mean they should have physical access to every asset the company owns. Smart cards can provide access security, although as these can be hacked or cloned, they should not be your sole defense. CCTV and a well-trained staff team who know to look out for suspicious behavior will go a long way to preventing physical threats.
- Ensure only appropriate employees have physical access to servers and computers holding valuable data.
- Use CCTV to protect sensitive areas.
- Provide employees with lockable filing cabinets for storing data and IP.
- Discourage employees from taking home unsecured USBs or documents that could be lost or stolen.
Continue Reading Part 2 Of Our Essential Guide To Discover Five More Ways to Protect Against Insider Threats in the coming days.
Also published on Medium.