In today’s digital age — where hackers can override a system from the other side of the globe — organisations have to be warier than ever. Unfortunately, it’s no longer enough to remain vigilant of the outside world. Some of the most damaging threats originate from within.
In the midst of COVID-19, there’s been an uptick in insider threats ranging from malfeasant board members to malicious employees. And while some instances are simply the result of accidental negligence, often there are more insidious elements at play.
The challenge of investigating and identifying insider threats is harder because an individual no longer needs to photograph or copy documents to steal them. An individual with the right access can steal vast amounts of data within seconds.
Leaders in every organisation cannot afford to discount the possibility of such a security breach or the huge fines, reputational damage and loss of business it will result in. And given the severity that insider breaches normally present, they need to have a plan in place for when they are confronted with an insider threat.
Here are five steps an organisation can take to protect itself against an insider threat.
1. Identify your risk
Here’s a tough question every organisation should be asking itself: Which of our information is most valuable, and what are the implications should this information be lost or stolen? It’s an impossible challenge for an organisation to protect all of its information and intellectual property (IP) to the same standard — it could undermine business effectiveness — but you need to understand the crown jewels in your information assets.
Once that’s defined, organisations should identify who has access to these highest-value assets. Is it limited to a small pool of employees? Or are they relatively accessible and employees are trusted to not venture into areas outside their particular remit?
How are employees in the most trusted roles chosen? Is their reliability and integrity part of their selection and performance monitoring? These are all important questions that, if answered thoroughly, can give organisations a clearer picture of what information is at stake and who among their staff could be a likely culprit.
2. Look from the outside in
An organisation’s security teams should put themselves in an insider’s shoes. What would motivate them to commit their crime? Is it purely driven by financial motivations? Would they leak sensitive information out of a particular ideological principle? What information or IP would the organisation’s competitors be looking for that, if stolen, would give them a competitive edge? Seeing things from a hostile actor’s perspective can help define what — and who — is at risk.
3. Define the initial response
Most organisations, having seen countless news stories of their competitors losing data in cyber attacks, have cybersecurity response plans in place. The next question they should be asking themselves is if these cybersecurity plans account for data stolen internally. Does their network defence rely heavily on users not being complicit in phishing or helping to enable other external compromises of the network? Is the movement of data around and out of the organisation tracked and monitored to identify potential insider threats?
4. Stop the threat in real time
Does the organisation’s internal monitoring look for indicators of insider threat behaviour alongside less malicious activity? Could its Security Operations Center (SOC) respond in real time to prevent data loss, or only investigate retrospectively?
For instance, an employee who normally only sends emails and works on individual files starts moving gigabytes of data onto portable media. If the organisation can spot this quickly, they could stop the transfer or have physical security stop that employee from leaving the building — sparing the organisation from the loss and embarrassment of a retrospective investigation after the culprit has disappeared.
5. Devise the remediation plan
If an organisation has been compromised by an insider threat, someone will be held responsible and will need to address the consequences. Who on the board is accountable in that situation? Who will communicate this to shareholders? How many of the remediation steps will be things that could have been put in place in advance of an insider breach?
Good cybersecurity is as much about people as technology. By considering what threats originate inside as well as outside your organisation, following the steps outlined above will help you to anticipate and defend against an insider threat.
- Steve Morgan, Managing Director, Cybersecurity Forensic & Litigation Consulting FTI CONSULTING| steve.morgan[at]fticonsulting.com
Compliments of FTI Consulting – a member of the EACCNY.