Who should you be more afraid of compromising your company’s security?
1. A dude wearing a hoodie who’s loitering outside with a laptop.
2. Gary in IT.
(Hint: The answer is Gary.)
An intense-looking hacker wearing a hoodie and banging out command-line instructions on a laptop makes for good entertainment, but skews our ability to really figure out what we should actually be concerned about. An employee who is either careless or disgruntled can cause significantly more damage with significantly less effort.
Insider Threat is one of the most important risks for an organization to consider. The term refers to the risk posed to information and data security by someone internal to the organization with trusted access. It does not, and should not, always imply nefarious intentions since that is only rarely the case. Insider Threats in Action
Tesla’s Humble Protector
A fantastic example of what an insider threat situation looks like was reported in many news feeds just a few years ago.
The target was Tesla’s Gigafactory manufacturing facility outside Reno, Nevada and the insider was an employee at the facility. The employee was approached by an old acquaintance who offered $500,000 to insert a USB drive into a computer system inside the factory. Ostensibly, the intent was to target Tesla and spread malware, ransomware, or other malicious code hoping to reap a huge payout in the end.
The employee, however,
chose to be faithful to the company and reported the incident. The FBI was called in and after following the suspect for a few days, he was apprehended at an airport prior to leaving the country. When in doubt, ask your wife: Boeing’s Accidental Data Leak
Another example, this time an employee at Boeing trying to go the extra mile to format a document
by asking his wife for help. The employee sent a document via the company email to a personal account so his spouse could assist. Unfortunately, the document contained sensitive personally identifiable information (PII) of thousands of his fellow Boeing employees.
Fortunately for the company and the employees, an investigation revealed that the sensitive information was not further disclosed beyond the employee’s spouse. As we all know, the result could have been much worse.
Can I get a ride: Google Loses Self-driving Car Information
The above examples did not, fortunately, result in loss or damages to the organizations. But, when an insider intends malicious and criminal activity, the damage can indeed be significant.
Such was the case when Anthony Scott Levandowski, a former Google executive, with inherent access to valuable intellectual property,
decided to take sensitive information with him when leaving the company. The executive used his trusted access to collect data associated with the company’s self-driving car program with the intent of giving it to a competitor. The competitor happened to be his new employer, Uber.
The value of the stolen data was estimated to be $1.5 million.
Pass the Popcorn
When the director of research and development from Garrett Popcorn Shops heard that her job was on the chopping block, she chose the self-serving option to steal proprietary information.
Using her access to trade secrets like recipes and processes,
she sent volumes of data from the company to her personal email account. Due to her trusted insider access, it took the company time and resources to discover the loss, investigate, and file a lawsuit. More than Near-Misses
There are many other instances of disgruntled employees taking advantage of their access to subvert the trust placed in them. Motivations range from personal gain, revenge, or as a response to a perceived injustice or slight. They may even be influenced by an outside agent or group with similar motivations.
More often, an insider threat event with a poor outcome is the result of misunderstanding, lack of training, or the intent to complete a task while constrained by unexplained or unfamiliar procedures.
For example, using an unapproved document sharing site because a customer really needs some help – and not understanding that its use also might publicly expose sensitive information.
Or, a new remote employee who’s having difficulty setting up their company workstation might choose to use their personal laptop instead – unknowingly introducing malware into the company network.
Perhaps someone just isn’t familiar with the use of a password manager and is using the same password for multiple personal and work accounts, making it easier for hackers to find a way in.
In the example stories, the employees were risks to the companies they work for. They had access and were trusted members of the organization. But, that risk was managed due to a number of factors.
So, what factors can you use to help keep insider risk low?
Our Strategy #1 – Employee Engagement
At Fractional CISO, for example, the entire staff is engaged, working together with great communication. Everyone meets, often virtually, a few times a week to discuss company activities and even have some fun. Company leaders are available to talk to and always show interest in the team’s well being.
Communication is Key
Keep the lines of communication open, and maintain good relationships with supervisors, peers, and the rest of the team. In most small organizations this kind of engagement will reveal issues early.
Open communication and opportunities to speak with leaders allows team members to feel comfortable discussing things they experience that may indicate future problems. There are even whistleblower and anonymous reporting services that companies can subscribe to. These services ensure privacy of those reporting possible issues that might not be comfortable reporting them directly.
Training Helps Prevent Mistakes
Ensure training exists for workflows and processes and is managed according to job roles. Job roles and descriptions are important to help employees understand their responsibilities and boundaries. Monitor work performance and reinforce training on a regular basis to ensure processes are still being followed.
Even Good Hiring Helps Security
Recruit and hire the right people for the right positions. Wait, how does this reduce the risk of insider threat? Well, if we hire an entry level developer to fill a senior level position that person would likely feel overwhelmed and dissatisfied – potential precursors to something happening, the least harmful of which might be an early resignation.
“Regarding my Compensation…”
Compensate your employees appropriately for their experience, skills, and responsibilities. All of us have commitments which we must meet. Those commitments include duty to family and friends, financial obligations, and living an enjoyable and fulfilling life. When money issues creep into home and work activities, it can lead to stress, dissatisfaction, or desperation – which may lead to insider threat susceptibility.
Keep Tabs on your Employee Satisfaction
Establish and maintain an employee performance management program that allows leaders and managers to interact directly with their team members. These types of programs can help detect early warning signs such as dissatisfaction, uncertainty, or other issues. Sessions should occur often enough to maintain connections and clear communications.
Our Strategy #2 – Security Controls
You didn’t think we’d neglect our bread and butter did you?
Taking care of employees is a key step in protecting against insider threats but secure business operations are just as important.
Appropriately designed and implemented cybersecurity controls add the additional requisite layer of security to help protect the business and our clients.
Practices such as regular access management,
least-privilege permissioning, and change control reviews help to minimize the amount of data any one employee has access to at any given time. These are very important for mitigating the risk of insider threat! Conclusion on Insider Threat
Combining meaningful employee engagement efforts with strong cybersecurity controls will provide your organization multi-layered type protection and defense against insider threat, plus protection from many of the other threats we face in our daily digital lives.
While insider threat is something we can discuss and plan for, in reality the ‘insiders’ are all of us – doing our jobs, serving customers, and going about our daily business routines.
Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.