Recently, one of my co-workers walked into my office and informed me of a problem that required attention. It was a tricky problem; one that had no ready, easy solution. So, I closed my eyes and hoped it would go away. Good plan, right?
Surprisingly, that exact plan is being used in the majority of companies when it comes to dealing with the problem of insider threats. According to a recent survey conducted at InfoSecurity Europe, 64 percent of security professionals stated that the insider threat is their biggest security concern. They also said they are spending the majority of their security budgets on technology layers that do not directly defend against it.
The greatest asset at a company is the employee. But because employees are human, mistakes get made – most times inadvertently, sometimes with malice aforethought.
Remember Family Feud? If the category was insider threat, and Richard Dawson was saying “show me IP and data theft,” you know that a tile on the game board would be turning over.
A scary 51 percent of employees believe it’s okay to take company data when they leave an organization, according to a survey Symantec published.
“Show me data breach” – wild applause from the audience, and the IT Security family is jumping up and down, high-fiving, and getting kisses from Richard.
The Ponemon Institute also published a study that showed 19 percent of customers ended their relationship with a company when told that their data had been breached.
“Show me fraud.” Another winner!
Any company can experience fraud. According to the 2012 Report to the Nation from the Association of Certified Fraud Examiners, the median loss to fraud is $140,000, and 87 percent of those committing corporate fraud have no prior record of fraudulent activity.
All the above are classically understood insider threats, with some harder to deal with than others. Take fraud – how do you know if an employee with proper access is using it improperly? How do you detect such activity? Well-known and respected entities like Ernst and Young and the FBI have identified key words and phrases that are indicators of fraudulent activity. Do you know what they are? And do you have the means of looking for them across the various communications media your employees use? Or are your eyes still closed, fingers still crossed?
Back to Family Feud. “Show me harassment!” This one might get a red X. But should it? Think about the impacts to an organization if this type of behavior is going on. There is legal risk – the targeted employee could sue. There is flight risk. The targeted employee could leave – and take the talents and skills that you hired them for with them while you incur the costs of replacing them. Is inappropriate behavior an insider threat? I say yes.
Now, most companies don’t have their eyes closed to inappropriate behavior like harassment. There are policies in place and a process for reporting a problem to HR so it can investigate and take action. Of course, HR can only act when it is aware of a problem–and is usually only aware when there is a complaint. Does HR have a responsibility to seek out this behavior and deal with it in the absence of a complaint? I say yes.
Last chance – for the win – “show me productivity!” Red X. Groans from the crowd. But why? What greater insider threat to the success of a company – especially a small business – than loss of productivity?
A survey by Salary.com in 2013 found that 69 percent of respondents admitted wasting time at work on a daily basis.
So, how do we deal with insider threats? We open our eyes. We stop hoping. And we focus on the insider. Not after the fact, in a forensic exercise that reconstructs what happened. But before, and during, the fact.
Companies have the right to monitor employee activity on their networks. Of course, no discussion of employee monitoring would be complete without a look at how privacy can impact IT’s plans. While many privacy-rights advocates would have the world believe that employees expect privacy and rebel at the mere notion of monitoring, facts point out that this isn’t the case. A recent poll that asked 300 full-time, U.S.-based employees how they felt about being monitored in the workplace revealed that 91 percent accept and in some cases even welcome having their computer activities and behaviors monitored. With such wide acceptance, there’s no reason not to deploy employee-monitoring software.
The insider threat is very much a reality, and because it hides in the details, it’s one of the biggest threats businesses can encounter. As with any security situation, concern and awareness are good starting points, but without the proper visibility and guiding principles in place, security professionals are really left with nothing more than a hope that the problem will be addressed. And as stated in the beginning, hope is not a strategy.