Your employees are your company’s weakest link, and therefore, your greatest threat to suffering a cyber-attack and resulting data breach. While employee negligence (that is, employees not knowing or understanding how their actions risk your company’s data security) remains the biggest cyber risk, another is growing and also demands your attention—the malicious insider. In fact, one recent report stated; “malicious insiders are responsible for 27 percent of all cyber crimes.”
Believe it or not, there are actually organizations/hackers who recruit malicious actors. These cyber criminals recruit with the goal of finding insiders to steal data, make illegal trades, or otherwise generate profit. Advanced threat actors look for insiders to place malware within a business’ perimeter security.
There are three types of people who fall into the “insider” category. They are negligent employees who don’t practice good cyber hygiene, disgruntled employees with ill will, and malicious employees who join organizations with the intent to defraud them.
What is a company to do? For the negligent employees who don’t practice good cyber hygiene—training, training, and more cyber-training is the best way to go.
No amount of training, however, will stop a disgruntled employee with ill intent, or a malicious employee who joins to do harm.
These latter two categories need more specialized attention—an insider threat program. The Wall Street Journal explains:
Companies are increasingly building out cyber programs to protect themselves from their own employees.… Businesses … are taking advantage of systems … to find internal users who are accidentally exposing their company to hackers or malicious insiders attacking the company. These “systems,” however, can prove costly, especially for the small-business owner. While investment in a technological solution is one way to tackle this serious problem, it’s not the only way. Indeed, there is lots any company, of any size, with any amount of resources, can do to develop an insider threat program.
Aside from the expense of costly monitoring programs, what types of issues should employers include in an insider threat program? Here are seven suggestions:
- Heightened monitoring of high-risk employees, such as those who previously violated IT policies, those who seek access to non-job-related business information, and those who are, or are likely to be, disgruntled (i.e., employees who express job dissatisfaction, who are on a performance improvement plan, or who are pending termination).
- Deterrence controls, such as data loss prevention, data encryption, access management, endpoint security, mobile security, and cloud security.
- Detection controls, such as intrusion detection and prevention, log management, security information and event management, and predictive analytics.
- Inventories and audits for computers, mobile devices, and removable media (i.e., USB and external hard drives), both during employment and post-employment.
- Policies and programs that promote the resolution of employee grievances and protect whistleblowers.
- Pre-employment background checks to help screen out potential problem employees before they become problems.
- Termination processes that removes access as early as possible for a terminated employee.
No company can make itself bulletproof from a cyber-attack. Indeed, for all businesses, data breaches are a “when” issue, not an “if” issue. However, ignoring the serious threat insiders pose to your company’s cyber security will only serve to accelerate the “when.”
So, there it is! You can take this seriously or just ignore this potential problem The reality is this is a growing concern and I will be discussing this in detail on my LA Talk Radio show this coming Sunday at 3 pm PST.