Do you remember the movie “When a Stranger Calls”?
The movie opens with a teenage babysitter receiving a telephone call from a man who asks, “Have you checked the children?” She dismisses the call as a practical joke. But, as the calls continue, and become more frequent and threatening, she becomes more and more frightened, and calls the police. Ultimately, she receives a return call from the police, telling her that the calls are coming from inside the house.
(Cue ominous music.)
Your employees are your company’s weakest link and, therefore, your greatest threat to suffering a cyberattack and resulting data breach. While employee negligence (that is, employees not knowing or understanding how their actions risk your company’s data security) remains the biggest cyber-risk, another also demands your attention — the malicious insider.
According to one recent report, malicious insiders are responsible for 27 percent of all cybercrime. Darkreading.com reports on a recent survey, titled, “Monetizing the Insider: The Growing Symbiosis of Insiders and the Dark Web”:
“ ‘Recruitment of insiders is increasing, and the use of the dark web is the current methodology that malicious actors are using to find insiders,’ said researcher Tim Condello, technical account manager and security researcher at RedOwl.
“Cybercriminals recruit with the goal of finding insiders to steal data, make illegal trades, or otherwise generate profit. Advanced threat actors look for insiders to place malware within a business’ perimeter security.”
There are three types of people who fall into the “insider” category, according to Condello: negligent employees who don’t practice good cyber hygiene, disgruntled employees with ill will, and malicious employees who join organizations with the intent to defraud them.
What is a company to do? Train your employees about proper password safety, the dangers of public Wi-Fi, recognizing and avoiding phishing schemes and scams, and handling lost or stolen devices. This will help in arming your employees with the necessary tools to defend against making a mistake that exposes your organization to cybercriminals.
No amount of training, however, will stop a disgruntled employee with ill intent, or a malicious employee who wants to cause harm to do damage.
These latter two categories need specialized attention: an insider threat program. The Wall Street Journal explains:
“Companies are increasingly building out cyber programs to protect themselves from their own employees.… Businesses … are taking advantage of systems … to find internal users who are accidentally exposing their company to hackers or malicious insiders attacking the company. These ‘systems,’ however, can prove costly, especially for the small-business owner. While investment in a technological solution is one way to tackle this serious problem, it’s not the only way. ”
Aside from the expense of costly monitoring programs, what types of issues should employers include in an insider threat program? Here are seven suggestions:
• Heightened monitoring of high-risk employees, such as those who previously violated IT policies, those who seek access to non-job-related business information, and those who are, or are likely to be, disgruntled (i.e., employees who express job dissatisfaction, who are on a performance improvement plan, or who are pending termination).
• Deterrence controls, such as data loss prevention, data encryption, access management, endpoint security, mobile security and cloud security.
• Detection controls, such as intrusion detection and prevention, log management, security information and event management, and predictive analytics.
• Inventories and audits for computers, mobile devices and removable media (i.e., USB and external hard drives), both during employment and post-employment.
• Policies and programs that promote the resolution of employee grievances and protect whistleblowers.
• Pre-employment background checks to help screen out potential problem employees before they become problems.
• Termination processes that remove access as early as possible for a terminated employee.
Do you think you’re too small to worry about devoting resources to these issues? Consider, according to Darkreading.com, that 98 percent of all companies have suffered a cyberattack, the average company suffers a minimum of 11 cyberattacks per day, and 40 percent of companies lack any type of cyber-incident response plan.
No company can make itself bulletproof from a cyberattack. Indeed, for all businesses, data breaches are a when issue, not an if issue. However, ignoring the serious threat insiders pose to your company’s cybersecurity will only serve to accelerate the when.
Jon Hyman is a partner at Meyers, Roman, Friedberg & Lewis in Cleveland. Comment below or email firstname.lastname@example.org. Follow Hyman’s blog at Workforce.com/PracticalEmployer.