Since March 2020, it’s safe to say that all businesses and their employees have had to adapt and find ways to stay fluid while maintaining resilience. Remote work is now the norm, and often employees can work outside of the typical 9-5, whether due to childcare, lack of travel, or simply proximity to the “office”. This means that a company could see an employee working earlier in the morning or later in the evening. Before the pandemic, digital activity outside office hours would have been a sure sign of an insider threat.
The traditional telltale signs that someone in the organization might be involved in insider threat intelligence have been diluted. Now, it is much more difficult to determine if an employee changes his work schedule or if he engages in illicit activities against the company, which considerably complicates the analysis of insider threats. The boundaries of an organization have shifted irrevocably since the start of the pandemic. How can companies protect themselves from a possible insider threat in this new environment?
Definition of an insider threat
An insider threat occurs when a trusted individual takes advantage of their position within a company to obtain proprietary information/intellectual property that they take, sell, or misuse. It is crucial for companies to put in place digital mitigation measures to prevent the exfiltration of sensitive information. Companies should be especially careful about authorizing USB drives, external media storage devices, or file-sharing applications, which allow an individual to upload or download proprietary information for malicious purposes.
Prevention of an insider threat
In order to prevent an insider threat from occurring in the first place, it is important for a business to ensure that they have digital protections in place, such as building the appropriate firewalls around their system that could identify a problem. Installing threat mitigation identification software allows a company to see when irregular activity is occurring on their system by someone who may or may not have authorization for that type of material.
Part of preventing an insider threat is being aware of the risks and mitigating them appropriately. And while security professionals strive to create an airtight defense system, it is ultimately impossible to completely eliminate all risks. Therefore, companies must balance business needs with security needs.
Moreover, insider threats go beyond the digital space into the physical security space as well. This type of threat could be an employee bringing in an external drive to plug into a computer or removing important documents from the building. With fewer people in offices, physical security remains just as important as digital.
Educate employees and address weaknesses
The best way to prevent an insider threat is to educate and arm your employees. Employees should be trained on how to protect their workstation, their work environment and how to identify social engineering as it arises. An employee, even without a security clearance, could innocently be motivated by something as simple as a nation-state wanting information from a private contractor doing business with the US government. These people may not think what they are doing matters or is particularly important to national security, so they can easily fall prey to this type of coercion.
Companies should not overlook workplace culture and employee satisfaction. A disgruntled employee is more likely to carry out a threat than a satisfied employee at work. An employee might end up with a listening ear and be convinced that he is being misused by the company or that the company does not like him. It doesn’t take much for some employees to feel underappreciated and strike up a relationship with a malicious stranger, and this vulnerability isn’t just limited to national security. Economic espionage is a huge problem in the corporate world. Providing confidential information to a competitor, for example, is considered an insider threat.
Faced with internal threats, a company plays defense 24 hours a day, 7 days a week. Threat actors only need to be right once. An organization must always be right, because all it takes is one intrusion or theft of proprietary information to cause irreparable damage.
The intersection of physical and digital security
In about 30% of organizations today, digital security teams and physical security teams report to the same manager. This is a huge shift from traditional reporting lines, and we’re only scratching the surface. As the world becomes more and more digital, the separate roles of CISO and CSO are evolving into a unique role for a security leadership position. If companies need additional expertise in digital or physical security, they can hire or outsource these roles, but having an executive who has vision, understands business strategy and appreciates the value that the security brings to an organization as a business enabler, is a different skill set than someone who focuses on digital or physical remediation from a security perspective. These practitioners will still have a place in security, but top-level security will merge into a single position that will enable the overall protection of the business and its employees.
The success of an organization depends on business and security teams working together to achieve success. Security team members should become students of the business to know what they are working to protect. Otherwise, there will be no room for growth and innovation.
On the other hand, the business must understand how security, and in many cases information security, enables the business to succeed. This involves investing in technology that enables the information security team to adequately address vulnerabilities, mitigate those vulnerabilities from an IT perspective, and conduct the right analysis that shows network disruptions . This partnership between security and business is what enables companies to excel.
Be open with employees in the event of potential or ongoing threats
There are three challenges inexorably linked to insider threat events: technology, transparency, and trust. All organizations must have the technology. If they don’t trust, then the technology will be misused. If they don’t have transparency, there’s no trust. Each “T” plays a critical role in ensuring that employees feel comfortable with technology, that they believe their leadership is transparent with them, and that they have confidence that the organization is doing what it’s necessary. These three elements help mitigate the possibility of insider threats, while educating and developing a culture that rewards employees for their honesty and transparency.
Companies need to be upfront about the notion of insider threats. This may involve internal training to educate employees on how and why these attacks are perpetrated, and the techniques threat actors use to trick employees into engaging in insider threat activity. Insider threats must be thoroughly and completely investigated from the time they are identified until the time they have been resolved. Waiting to disseminate this information until all the actors have been identified could be potentially disruptive for the company. The goal isn’t to terrify employees, it’s to educate them. Maintaining an open dialogue and communicating clearly before, during and after an event is invaluable in building employee confidence.
Additional insider threat protection
Establish a clean desk policy for employees. This concerns both physical and digital workspaces. In an office, employees should ensure that their desk is cleared of all sensitive material like open laptops, passwords, and USB drives, and that it is locked. Employees likely to work in public spaces like a coffee shop should be aware of who is around them and use devices that block other people from seeing their screen, especially if they are not directly in front of it.
Employees should be especially vigilant when traveling for work, as hotels and airports are known to be gateways for threat actors. Plugging into an airport outlet almost guarantees that bad things will be fed into a computer. And in various parts of the world, governments have different authorities with varying computer protocols.
What about that employee who works non-traditional hours? To analyze the difference between an insider threat and an employee burning midnight oil, companies must prioritize developing a culture that accommodates employees working at different times and paces. Organizations and their leaders need to maintain normal, routine communication with employees and teams. Just because an employee is remote doesn’t mean they shouldn’t have regular, transparent interactions with an organization’s management.