Research has shown that when it comes to cybersecurity in organizations, your people are your greatest risk. (A 2016 IBM study, for example, attributed 60% of all breaches to insiders.) These aren’t cybercriminals. Usually they aren’t even disgruntled ex-employees looking for revenge. In most cases they’re just regular folks whose unintentional actions are a threat to the security of your information and processes. If you’re wondering how to safeguard your operations from the inside, here are the 4 steps we recommend you take.
For the sake of this article, we’ll use the definition of “insider” that Dtex does in its 2019 Insider Threat Intelligence Report: an employee, contractor, vendor or partner with access to corporate data, systems, applications and devices.
STEP 1: Educate your people.
The 2019 Dtex insider threat report I linked to above states that almost two-thirds (64%) of insider security breaches are caused by human error or careless behaviour, not malicious intent. That means one of two things: people don’t know what’s expected of them, or they’re choosing to ignore expectations because those expectations make it hard for them to get their work done. People will use insecure file sharing services, a personal cloud or email service, and insecure networks when working remotely, for example, because they don’t understand the risk this behaviour poses to the organization.
Education of new employees can help make expectations clear, including the “why” behind the policies. This is particularly important for younger employees who are new to corporate culture and often assume they should be able to get online access to everything from everywhere. Ongoing cybersecurity refreshers for employees are also important, since new devices, scenarios and threats require an ever-evolving response. Don’t forget to train any contractors, freelancers, vendors and partners who can access your systems. Because they’re often off-site and using their own devices, they can be a key source of unintended security breaches.
STEP 2: Monitor behaviour.
User behaviour analytics, often offered by third-party companies such as Dtex and Endera, can be used to monitor an individual’s behaviour on particular devices and systems. This intelligence can reveal individuals who mean to do the company intentional harm—those who have expressed dissatisfaction, are looking for another job or suspect their imminent termination or layoff, for example. However, since most insider security threats are from people who just don’t know better, you can also monitor everyone’s behaviour to look for risky activity.
However, the power of these programs to give insight into people’s activities must be balanced with a need to respect privacy. No one wants to feel like they work for Big Brother or to feel guilty before proven innocent. There can be significant costs to corporate culture if monitoring isn’t done responsibly and in conjunction with programs that support employee education and “doing the right thing.”
STEP 3: Safeguard your systems.
Continue the good work you’re already doing to deter and detect security breaches. Ensure your most valuable systems and data are given the most rigorous controls and monitoring. Institute data loss prevention, data encryption, and mobile and cloud security controls. Manage access to data. Apply security patches. Enforce high standards for passwords. Ensure you have intrusion protection and detection. Inventory your devices, including such items as external hard drives and USB keys, and keep track of who has what so you know what to recall when someone is no longer affiliated with your company.
STEP 4: Take a look at your procedures.
Human Resources plays a role here, too. Background checks should be required as part of your hiring processes. Your HR policies should encourage early and constructive resolution of employee grievances. You should actively protect whistleblowers. Finally, retrieve company devices and remove access to company systems as soon as possible after an employee leaves your organization or a relationship with a contractor, vendor or partner has ended.
One last point. When we talk about “insider risk” I often worry that we’re promoting images of malevolent employees being paid by someone on the dark web to steal your company’s intellectual property. This is rarely the case, and our insider security approaches should reflect this. Most people are well intentioned. We should actively support them to do what’s right, rather than create a culture of fear and suspicion, if we really want to protect our organizations from the inside.