I’ve often written on this blog that employees are the first line of defense against attack and that they should be treated accordingly. But the sad truth is that a significant proportion of security incidents are the result of insider threats. Insiders have access to sensitive data more easily than external threat actors, and — if your organization has good security to mitigate external threats — insiders are the number one risk.
”While small businesses may consider themselves too small to be targets, almost all businesses have documents that are considered sensitive – like customer data or business information they want to keep from competitors,” said Kamal Shah, senior vice president of products and marketing at Skyhigh, “Small businesses are much less likely to have a chief information security officer or other form of IT security leadership. They’re also less likely to have a plan of action in place to respond to a data breach.”
The key to mitigating the risks posed by insider threats is to understand their motivations and implement processes that make it as difficult as possible to exfiltrate sensitive data.
What Are The Motivations Of Insider Threat Actors
First, the obvious: the motivation is often money or some other form of personal advantage. If your company stores sensitive data, trade secrets, or valuable intellectual property, dishonest employees, if given the opportunity, will seek to leverage the data they have access to for their own advantage.
The second major motivation is more difficult to predict and manage. Many insider threats are the result of employees with a grudge, terminated contractors and employees, and others who have developed a personal animus towards the company.
Mitigating The Risks Of Insider Threats
It’s difficult to contemplate the idea that the people you see every day at work may be a threat to your business, but managers and system administrators should at least consider the possibility. There’s a fine line to be observed here: excessive paranoia can lead to creation of disgruntled employees who view a company’s lack of trust as just cause for disloyalty. Nevertheless, implementing sensible precautions should be part of any businesses security strategy.
Be Transparent about Security Expectations
It’s vital that employees understand security and the part they have to play in it. Often, making all employees and contractors aware of the security procedures that are in place is enough to discourage anyone who might be tempted to steal data.
Listen To Employees
Many of the threats presented by employees come about as a result of incompetence or misunderstanding rather than malice. For example, a major vector of internal threats is unilateral adoption of tools outside of IT’s purview by employees attempting to improve their productivity. This can take the form of anything from copying data to a thumb drive to take home to the use of unsanctioned cloud or mobile apps.
Listen to employees about productivity concerns and the effectiveness of the tools the business provides. But be sure to make them aware of the serious consequences of uploading proprietary data to third-party devices and services.
Make It Difficult To Enact Internal Threats
There is a long list of potential security measures companies can implement to mitigate the risk posed by internal threats: comprehensive authentication, monitoring of who has access to data and when, monitoring of suspicious network activity, and encryption of sensitive data all have their part to play.
The FBI recommends that companies implement a non-threatening and convenient channel for employees to report potential security violations. One of the best ways to do this is with anonymous reporting, although managers have to be responsible with and skeptical of information provided through anonymous channels, for obvious reasons.
Mitigating the risk of internal threat is, in many ways, more difficult than mitigating external threats, but the prevalence of employee and contractor data theft, should make internal threat mitigation a primary concern.
Image: Flickr/Dean Hochman