Insider Threats Remain as Dangerous as Ever

Don’t talk to strangers. It’s the biggest lesson taught to children, but it’s a lesson forgotten by many adults when they’re on company time.

As grown-ups, we take personal safety seriously. We don’t walk down dark alleys or open the front door of our home before knowing who’s on the other side. So, when it comes to company safety, why don’t we think to guard our company assets with the same mindfulness as we do in our personal lives?

Organizations continue to grapple with this question, albeit with varying degrees of success. A recent report from Haystax titled, “Insider Attacks: 2017 Insider Threat Study,” found that privileged users, including managers with access to sensitive information, are the biggest insider threats to their organization. Contractors and consultants finished a close second with regular employees bringing up third place.

The Haystax report is based on a survey conducted by the Information Security Community and Crowd Research Partners of participating members from over 300,000 organizations. It found clear evidence of a growing problem; some 56% of those polled thought insider attacks had become more frequent in the previous 12 months.

The findings make for grim reading, particularly in light of the sometimes-extensive investments made by company security officers to promote better cyber hygiene. One clear takeaway is that employees and contractors need to be better trained to take precautions and to pay closer attention to the basics.

These include knowing not to do any of the following:

• Click on links in emails sent from strangers.
• Click on links that look strange even though they’re from colleagues.
• Plug an unknown thumb drive or device into a work computer.
• Sit in public where a stranger can see company data on a computer or smart device.
• Talk about company business where people outside the company can hear.
• Talk in front of smart devices (Internet of Things) that are easily hacked to listen in.
• Access the company network with an unsecured device.

In certain cases, the employee or contractor in question turns out to be a malicious insider intent on trying to steal or corrupt company data. The 2017 U.S. State of Cyber Crime report by CSG shows that around 50% of organizations experience at least one malicious insider incident per year.

Reduce Your Risk: Here’s How

Here’s what organizations that have registered success fighting insider threats are doing to minimize the risk.

1. Employee training that is engaging and easy to remember is critical. Technology develops by leaps each year and so must your employee security training. Keep an eye on the threat landscape and share the learning with your employees in language that is easy to understand. Though your employees work in the tech industry, not all of them have technical backgrounds they can call on to disseminate complicated, technical information.
    
2. Understand the risk of social media. The same rules apply when clicking links in social media channels as they do in email. An employee might share a link that carries misinformation or malware because a friend or colleague shared it. Create a list of company-sanctioned social media channels. Then create policies around how employees are allowed – and not allowed – to use them.
    
3. Perform risk assessments to determine your organization’s most vulnerable systems. It will help mitigate threats. It isn’t easy, and is often outside a company’s budget, to put strong security measures everywhere. Instead find the systems that need the strongest security. For example, does your company need strong two-factor authentication so stolen credentials can’t be used? Can employees download sensitive data and leave with it on any device? Or is sensitive information behind a wall where an employee must be on a secure system to check out, rather than download, the information.
    
4. Create a baseline of employee activity, so any unusual behavior can be flagged early. For example, when an employee is logging into a system he doesn’t usually log into for his work. Or tracking when an employee is accessing company systems during unusual hours of the day or weekend. Or seeing that an employee is accesses areas of the company with his badge that do not pertain to his job duties. Any of these can be early warning signals of a potential malicious insider threat.
    
5. Tell employees that if they see something, say something. It’s tough for colleagues to report on fellow colleagues, yet it should be the duty of every employee to safeguard the company against a threat, whether through suspected negligence or a malicious act. Create a process for reporting potential threats that employees feel safe to use – either through a secure channel or even a way to leave an anonymous tip.

The best employees can still make the worst mistakes. It doesn’t make them bad workers, especially if they weren’t trained to understand what stranger danger looks like inside and outside their office doors. Malicious insider threats can also be mitigated with system measures and company policies that actively monitor and report on unusual behavior.

Guarding against insider threats need not be the equivalent of Mission Impossible. But it does take leadership pushing a strong company-wide mission to meet the mounting challenges posed by threats that start from the inside.