Have you ever considered yourself to be an insider threat?
It’s an uncomfortable thought, but if you have access to sensitive data of any kind, or if your badge gets you into controlled areas of your organization, guess what? You’re an insider threat.
That’s not to say you’re a hostile threat. Quite the opposite, hopefully. But in the landscape of today’s information security concerns, anyone that has access to data is also a threat to that data. Anyone.
That’s means IT and network administrators, human resources, front desk personnel, accountants, even senior executives and business owners. In fact, the more access you have, the bigger the threat you are.
It sounds harsh, but it’s really just a measure of accountability. With that in mind, let’s define the types of insider threats, and then detail what can be done to mitigate them.
Types of Insider Threats
There are two main insider threats organizations must worry about.
The first of which is the most common: the unintentional insider threat. Have you ever clicked “Reply All” on an email when you only meant to respond to a specific person? That’s how easy it is to be an insider threat. Take, for example, an employee for a major aerospace company who accidentally emailed his spouse a file that contained personal information of 36,000 employees.
From making small mistakes to being careless (such as leaving a work laptop in a vehicle that gets stolen) when performing day-to-day functions, the non-hostile insider threat is a top concern for enterprises all over the world.
Then there’s the malicious insider threat. As the name suggests, a malicious insider is one who intentionally leaks or compromises data. Unfortunately, identifying and mitigating malicious insiders is a difficult task, but not an impossible one.
5 Ways to Mitigate Insider Threats
Perform a risk assessment.
This is for senior executives and upper management. It’s your responsibility to know what you have and what it’s worth. Think like a cybercriminal. What do you have that they would want? By performing a risk assessment, you will be able to identify the most valuable assets of your organization and develop a strategy to protect them.
By the way, this is not a one-time thing! Risk assessments should be performed (at least) yearly, if not quarterly, especially as your business evolves with technology and growth.
Train your employees.
If you own a business or are in charge of a security awareness program, it is your job to ensure your employees know what kind of data they handle. Awareness and training will ensure they understand how important it is to keep secrets secret, whether that be business strategies of your organization or personally identifiable information of your customers.
As an end-user, it’s important that you know what constitutes private information and are intimately familiar with the steps necessary to protect the confidentiality, integrity, and availability of that information. This is why data classification is so important. It’s your responsibility to stay alert, think before you click, and verify sources when transferring data.
Routinely audit access privileges.
The principle of least privilege is your best friend. Generally, employees should have the minimum amount of access necessary for them to adequately perform their job functions. And those job functions will change over time. Routinely auditing everyone’s access is key to insulating elements of your network against data breaches.
End-users play a role in this as well. If you feel you’ve been given access to information that you don’t need, speak up! Keep in mind that the more access you have, the more responsibility you have.
Implement a strict password and account management policy.
Passwords are still the first line of defense. As such, your organization will greatly benefit from a password compliance policy that specifically defines how they should be created and how account credentials should be stored.
Common sense tells us that weak and commonly used passwords are a liability. Consider encouraging the use of password managers, replacing standard passcodes with passphrases, and at the very least, require symbols, numbers, and letters.
Develop an incident response plan.
Unfortunately, security incidents happen. How you respond to them could be the difference between a massive breach and a minor infraction. An incident response plan empowers your organization by establishing a set of protocols for identifying, reporting, and resolving security events. Not sure how to set up an incident response plan? Follow these five steps: https://www.thesecurityawarenesscompany.com/2017/01/12/need-incident-response-plan/
Part of your incident response plan should include reviewing how the incident occurred and what can be done to ensure it won’t happen again. Learning from mistakes is a big part of mitigating threats by insiders.
What about malicious insiders?
Unfortunately, if one of your employees has the intent to compromise data in any manner, there’s not a lot you can do to prevent them. But that doesn’t mean you shouldn’t try.
Keep in touch with your end-users. This can be difficult depending on the size of your organization, but it’s imperative that you occasionally interview your employees and gauge their situations. Make “behavior audits” a part of awareness training. Keep it personal. Think of it as an “exit interview” but focused on information security.
Monitor network activity. This is not to spy on your employees but rather to identify and respond to suspicious or disruptive behavior. And encourage employees to speak up if they believe a co-worker is acting erratically. Keep in mind that it’s impossible to eliminate personal issues from spilling over into a work environment. The best thing you can do is be sensitive to it, and teach your employees about the consequences of data breaches, especially when intentional.
In the end, insider threats are mitigated with education. There is no replacement for awareness and common sense. Training your employees to understand the value of the data they access, and the risks they face every day, is the best way to improve your defense against threats, both unintentional and malicious.
And it starts at the top with senior executives. Leading by example is the only way to infuse cybersecurity awareness into the culture of your organization. Those with the highest level of access, after all, are the biggest threats. Lead by example and demonstrate to your employees that no one is above awareness training or following company policy.