If you’re not worried about insider threats, now might be a good time to start. Your employees’ actions may not just damage your cybersecurity but could leave you open to court action, too.
In 2014, Andrew Skelton, a senior IT auditor at UK grocery chain Morrisons, became unhappy with his employer after it disciplined him for an infraction. He posted the personal details of 100,000 employees on a file-sharing website. He got eight years in jail, but the story doesn’t end there.
5,500 Morrisons employees sued the firm for breaching its statutory duty in letting Skelton access and misuse the data. Last December, the high court ruled that the grocery chain was ‘vicariously liable’ for his actions. The court didn’t hold Morrisons at fault itself but felt that it was liable for what its employee did.
Insider threats are one of the biggest worries for companies, and they come in many forms. Researchers from the universities of Glasgow and Coventry identified four levels of employee threat as part of a study commissioned by the Centre for Research and Evidence on Security Threats (CREST). The ranking went from serial transgressors – individuals like Skelton who methodically subvert their employers – down to omitters, who pose risks unintentionally through a lack of education or skill.
Verizon’s 2018 Data Breach Investigations Report (DBIR) separates those who misuse internal resources from those clueless employees who just don’t get it. Its insider threat category addresses misuse of internal IT, while its miscellaneous errors category encompasses mistakes that can cause breaches.
Often, insider threats are unwitting rather than malicious. Significantly, half the breaches in the miscellaneous errors category involved mistakes around sending information. Bill in accounts may mean well when he sends a customer’s sensitive information to a contractor via a public email system, but he’s still a threat.
Education has a higher percentage of insider threats than many, but healthcare is one of the worst performers. Combining miscellaneous errors and insider threats, healthcare is the only sector facing a more significant internal risk than an external one, according to the Verizon report.
Protecting yourself
How can you protect your organization against insider threats?
The usual rules of common sense apply. Properly screening employees and contractors is a security technique that companies often overlook.
Creating policies around the acceptable use of company resources, data privacy, and remote data use is also crucial. After all, employees can’t follow the rules if they don’t exist. Cyber-awareness training goes together with sound policies. Thoughtful training sessions that explain how to support your policies without finger-wagging, combined with follow-up sessions and ad hoc tests, can help to drive the point home and build a strong security culture.
These techniques alone will not be enough to completely stamp out insider threats, though. There will always be a small subset of employees that either can’t or won’t follow the rules. That’s why technology solutions play an essential part in protecting the company.
Anti-malware technology, along with email and traffic scanning solutions can help to prevent employees opening malicious attachments or visiting dangerous online destinations. Role-based access control can help prevent employees accessing information above their pay grade, while the separation of duties can help to prevent users with privileged access from playing fast and free with company data.
Finally, monitoring systems can document anything that employees or contractors do on a network, alerting administrators of suspicious behaviour.
Beyond that, though, one of the best ways to thwart insider activity is proper management. Companies that treat employees poorly and make them feel undervalued leave themselves open for retaliation.
By managing staff sensitively and giving them a sense of worth, companies can go a long way to building allies rather than enemies within their ranks. That’s a level of protection that only compassion and people skills can provide.
The topic of Threats, Exploits and Vulnerabilities will be covered throughout the free-to-attend conference at Infosecurity Europe in London from 4-6 June. See all the talks on Threats, Exploits and Vulnerabilities here. Infosecurity Europe is the leading European event for information and cyber security; find out more and secure your free visitor badge.
