Insider threats may be the biggest – and least addressed – cyber risk facing organisations today. A malicious or simply careless insider can quickly expose a company’s confidential data and valuable trade secrets, undermining its competitive advantage, damaging its brand and even endangering other employees.
The phenomenon is likely hugely under-reported, because most firms want the problem to quietly go away and avoid bad publicity. Leadership worries: “What does it say about our company that our own people are a threat?” On top of this, companies have had limited means of protecting themselves.
For most of business history, risk mitigation has involved one-time background checks and company policy education for new hires, and then crisis response, whether that’s responding to employee concerns or a data leak caused by an insider.
>See also: Why insider threats are still succeeding
Even still, reported numbers are high. At least 43% of data loss is due to insiders, Intel Security recently reported. Some data loss is caused by actors with malicious intentions, such as in the case of GlaxoSmithKline, in which insiders are accused of stealing cancer research to sell to China.
Some of it is more opportunistic, in the case of employees using a past employer’s intelligence to get ahead at a new job. A survey by Symantec found that half of employees admit to taking corporate data when they transfer jobs, with 40% suggesting they plan to use the information at their new organisation.
Additionally, some insider-caused data loss is inadvertent and careless – for example, in the case of employees falling prey to phishing scams. And some even happens at the behest of outsiders. Criminal gangs now actively seek out and exploit vulnerable insiders, such as those with addiction or financial problems.
Attackers are also gathering publicly available information – on social media sites for example – and targeting employees with advanced access privileges in an organisation’s network, like those in legal, payroll and HR. They then attempt to gain access to their companies’ systems and commit larger frauds.
Effectively reducing all types of insider cyber risk chiefly involves setting up a proactive program that can prevent destructive events in the first place. This depends on identifying and defusing at-risk insiders before they reach crisis point.
Unlike external cyber threats, where an attack is nearly inevitable and resilience stems from preventing escalation, insiders who pose threats can be exposed before they act on their impulses. Huge progress in the field of big data analytics has made this possible.
Here’s how it works: insiders who engage in malicious or non-malicious behaviour often signal it in advance through their choice of language. By analysing employee communications algorithmically in bulk, with the right psychologically-proven detectors in place, a company can flag individuals who are disgruntled or under extreme mental stress, and can measure changes in emotion, attitude and personality over time. And all of this can be done within the guidelines of EU data privacy and ethical practices.
But tools are just one part of a larger strategy. If an at-risk individual is identified by machine intelligence, there still needs to be a human team trained in-house to respond to the finding by reviewing other aspects of the individual’s behaviour and determining a response that will defuse, and not enflame, the situation.
It is also important for company leadership to be aware of common 'stressors' that trigger malicious or irrational behaviour by insiders. For example, a redundancy or job-loss can propel an individual who is already on edge to act out, spurring them to steal data for use at a new job or to sell it to competing organisations or even nation-states. By identifying potential 'bad leavers' well in advance, organisations can prepare and take precautionary steps.
A comprehensive insider-threat programme consists of three elements: foundational policies and best practices for protecting valuable company information; a trained multi-disciplinary team including HR executives, security staff, and legal professionals who can spot concerning behaviours associated with insider risk and can devise appropriate responses; and technology that leverages big data behaviour analytics to detect high-risk individuals by identifying technical and behavioural anomalies. For example, access to highly sensitive information should be tightly limited, and data-loss protection tools that monitor for data exposure, should be in place.
Senior executives have woken up to the dangers of hacking and data theft in recent years, but most are still focused on the threat from unknown actors behind computers far away. While such attacks – including the recent increase in ones using ransomware – have generated headlines, for most companies bigger dangers are lurking inside the company and within the companies of third party partners and service providers. These risks also need to be approached with direct attention and constant vigilance, with effective strategies and tools in place to mitigate them.
When employers walk into their office buildings every morning, they expect to be safe, and that safety can come in many different forms, such as the security of knowing that they work at a financially sound organisation, and the safety of being free from harassment and workplace violence.
The recommendations presented here apply not only to insider cyber risk, but also nearly all types of insider risk as well. Business leaders must develop proactive plans to monitor, detect and prevent bad actors within their organisation before they strike, and can do so by acting within the bounds of privacy laws and without creating a culture of paranoia.
It is self-evident that ignoring these risks can result in catastrophic consequences. Arguably, organisations and their leadership have a heightened responsibility and capacity to tackle insider threats than external ones over which they have no control.
Sourced from Scott Weber, managing director, Stroz Friedberg