Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

When It Comes to the Insider Threat, Hope Is Not a Strategy

Recently, one of my co-workers walked into my office and informed me of a problem that required attention. It was a tricky problem; one that had no ready, easy solution. So, I closed my eyes and hoped it would go away. Good plan, right?

Recently, one of my co-workers walked into my office and informed me of a problem that required attention. It was a tricky problem; one that had no ready, easy solution. So, I closed my eyes and hoped it would go away. Good plan, right?

Surprisingly, that exact plan is being used in the majority of companies when it comes to dealing with the problem of insider threats. According to a recent survey conducted at InfoSecurity Europe, 64 percent of security professionals stated that the insider threat is their biggest security concern. They also said they are spending the majority of their security budgets on technology layers that do not directly defend against it.

The greatest asset at a company is the employee. But because employees are human, mistakes get made – most times inadvertently, sometimes with malice aforethought.

Employee MonitoringRemember Family Feud? If the category was insider threat, and Richard Dawson was saying “show me IP and data theft,” you know that a tile on the game board would be turning over.

A scary 51 percent of employees believe it’s okay to take company data when they leave an organization, according to a survey Symantec published.

“Show me data breach” – wild applause from the audience, and the IT Security family is jumping up and down, high-fiving, and getting kisses from Richard.

The Ponemon Institute also published a study that showed 19 percent of customers ended their relationship with a company when told that their data had been breached.

“Show me fraud.” Another winner!

Any company can experience fraud. According to the 2012 Report to the Nation from the Association of Certified Fraud Examiners, the median loss to fraud is $140,000, and 87 percent of those committing corporate fraud have no prior record of fraudulent activity.

Advertisement. Scroll to continue reading.

All the above are classically understood insider threats, with some harder to deal with than others. Take fraud – how do you know if an employee with proper access is using it improperly? How do you detect such activity? Well-known and respected entities like Ernst and Young and the FBI have identified key words and phrases that are indicators of fraudulent activity. Do you know what they are? And do you have the means of looking for them across the various communications media your employees use? Or are your eyes still closed, fingers still crossed?

Back to Family Feud. “Show me harassment!” This one might get a red X. But should it? Think about the impacts to an organization if this type of behavior is going on. There is legal risk – the targeted employee could sue. There is flight risk. The targeted employee could leave – and take the talents and skills that you hired them for with them while you incur the costs of replacing them. Is inappropriate behavior an insider threat? I say yes.

Now, most companies don’t have their eyes closed to inappropriate behavior like harassment. There are policies in place and a process for reporting a problem to HR so it can investigate and take action. Of course, HR can only act when it is aware of a problem–and is usually only aware when there is a complaint. Does HR have a responsibility to seek out this behavior and deal with it in the absence of a complaint? I say yes.

Last chance – for the win – “show me productivity!” Red X. Groans from the crowd. But why? What greater insider threat to the success of a company – especially a small business – than loss of productivity?

A survey by Salary.com in 2013 found that 69 percent of respondents admitted wasting time at work on a daily basis.

So, how do we deal with insider threats? We open our eyes. We stop hoping. And we focus on the insider. Not after the fact, in a forensic exercise that reconstructs what happened. But before, and during, the fact.

Companies have the right to monitor employee activity on their networks. Of course, no discussion of employee monitoring would be complete without a look at how privacy can impact IT’s plans. While many privacy-rights advocates would have the world believe that employees expect privacy and rebel at the mere notion of monitoring, facts point out that this isn’t the case. A recent poll that asked 300 full-time, U.S.-based employees how they felt about being monitored in the workplace revealed that 91 percent accept and in some cases even welcome having their computer activities and behaviors monitored. With such wide acceptance, there’s no reason not to deploy employee-monitoring software.

The insider threat is very much a reality, and because it hides in the details, it’s one of the biggest threats businesses can encounter. As with any security situation, concern and awareness are good starting points, but without the proper visibility and guiding principles in place, security professionals are really left with nothing more than a hope that the problem will be addressed. And as stated in the beginning, hope is not a strategy.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.