Is Insider Threat Only a BIG Company Problem?
When we talk about Insider Threats, most people think that some angry employee is out to do harm to a company but there is so much more to it than that.
We had another wonderful discussion with top technology experts to talk about Insider Threats, what it means, the risks involved, and how training and company culture play an important role in reducing risks.
Unfortunately, very little is done to help mitigate the risks of Insider Threats...until something really bad happens.
Insider Threats Come in All Shapes and Sizes
Insider Threats are present in every company regardless if an employee is stealing information for financial gain or even accidentally clicks on a bad link in a phishing email. Cyber criminals also use information they find on social media to blackmail an employee to give them company information or unauthorized access. They can also get hired into a company so not only are they there as a spy, they are getting paid for it!
Personas Over Threats
Focus on personas rather than threats. Here are the top three to watch for:
- A former disgruntled employee
- Careless individuals
- Employees who may be having financial difficulty
If you can identify the people, processes, and procedures with those personas, you will be able to build your security strategy and employee training around that and be better protected.
Finding and Reporting Threats
COVID19 has opened the door for more risk and many security companies have seen a huge uptick in fraud cases. Now that a lot of people aren’t working side by side, it’s even harder to notice changes in people’s behavior patterns since visibility has considerably narrowed.
Employees need to know how and what suspicious activities to report. It should be part of their training. For example, an employee that has been having a hard time at home that all of a sudden gets a new car, new jewelry, etc., may be a threat and should be reported.
People may be hesitant to come forward with information since there is still a very strong anti-snitch culture! Things just need to be made clear on how to report Insider Threats and it needs to be part of your company policy. Make it a part of the onboarding process or annual training! They also need to know that you are there for them first and foremost.|
This video is part of Wizer's Insider Threat training program.
Access the rest of the videos here!
Clear Policies and Procedures
If there is no clear policy, like a non-compete agreement, you are at risk. For example, an employee taking on a second job or opening a side hustle may end up competing with your business.
Companies also have tools and resources to catch people who are threats. Posting on social media is fair game also. Many companies push back on monitoring because they trust their employees no matter what. However, you can still trust them AND put controls in place.
The trick to monitoring effectively without losing the trust of your employees is to be fully transparent. Tell your employees what data will be collected and how it will be accessed. Tell them why. Explain the benefits up front. For example, how monitoring not only protects the company, but protects them as well.
There also needs to be a controls for protecting the monitored data that was collected about employees and also a process for authorizing who can watch this data. You don’t want people snooping on their co-workers just because they can or cyber criminals getting a hold of this treasure trove of information!
Deterrence is an advantage more than a risk.
Whose Responsibility is All This?
Who should own this program in the company? No one size fits all and this is something that should be decided very carefully depending on industry and technology in place. It could sit under the Legal Department. You should always consult with the legal team, regardless. It could also belong to the Risk Management Team and or CSO as well. Under Human Resources is probably NOT the best idea.
Working With Different Workplace Cultures
Culture is a key thing and each company’s individual needs will be different. There are more regulations that require monitoring because it creates proactiveness and people are starting to understand that it is good for their overall security posture. A medical company most likely relies on needing to know specific things by having monitoring software. You have to tailor your training and policies to the culture so that employees can digest it properly.
What about external partners or vendors? What if they reside in different countries or regions? Again, it’s about creating a customized program. There are different laws and privacy regulations in place by geographic location and all of those must be considered. Establish relationships with overseas counsel. Learn ahead of time what their processes and procedures are.
Stay ahead of the curve and get your plan and training in place before something happens.