Since March 2020, arguably all companies and their employees have needed to adapt and find ways to stay fluid while maintaining resilience. Remote work is now the norm, and often employees can be found working hours outside of the typical 9-5, whether it’s due to childcare, lack of commuting, or simply close proximity to “the office.” This means that a company could see an employee working earlier in the morning or late into the evening. Prior to the pandemic, off-hours digital activity would have been a sure sign of an insider threat.
The traditional tell-tale signs indicating a member of the organization might be engaged in insider threat information have been diluted. Now it’s much more difficult to determine whether an employee is adjusting their work schedule or engaging in illicit activity against the company, making the parsing of insider threats much more complicated. The bounds of an organization have shifted irrevocably since the start of the pandemic. How can companies protect themselves from a possible insider threat in this new environment?
Defining an Insider Threat
An insider threat occurs when a trusted individual leverages their position within a company to gain proprietary information/intellectual property that they take, sell or misuse. It is crucial for companies to have digital stopgap measures in place to prevent the exfiltration of sensitive information. Companies need to be especially careful about the authorization of thumb drives, external media storage devices, or file-sharing applications, that allow an individual to offload or download proprietary information for nefarious purposes.
Preventing an Insider Threat
In order to prevent an insider threat from occurring in the first place, it’s important for a company to ensure that they have established digital protections, like building the correct firewalls around their system that could identify a problem. Having threat mitigation identification software installed allows a company to see when irregular activity is occurring on their system by an individual who may or may not have authorization for that type of material.
Part of preventing an insider threat is being aware of the risks and mitigating them appropriately. And while security professionals strive to create an airtight defense system, ultimately, it’s impossible to completely eradicate all risks. Therefore, companies need to strike a balance between business needs and security needs.
Additionally, insider threats go beyond the digital space into the physical security space as well. This type of threat could be an employee bringing in an external drive to plug into a computer or removing important documents from the building. With fewer people in office spaces now, physical security remains just as important as digital.
Educating Employees and Addressing Weaknesses
The best way to prevent an insider threat is to educate and arm your employees. Employees should be trained on how to protect their workstation, their work environment, and how to identify social engineering as it presents itself. An employee, even one without a security clearance, could innocently be motivated by something as simple as a nation-state wanting information from a private contractor that does business with the U.S. government. These individuals may not think that what they do matters or is particularly important to national security, so they can easily fall prey to this sort of coercion.
Companies should not overlook workplace culture and employee satisfaction. A disgruntled employee is more likely to act out a threat than one who is satisfied at work. An employee could find themselves with a sympathetic ear and become convinced that they are being misused by the company, or the company doesn't value them. It doesn't take a lot for some employees to feel under-appreciated and form a relationship with a malevolent outsider, and this vulnerability is not just limited to national security. Economic espionage is a huge issue in the corporate world. Providing proprietary information to a competitor, for example, qualifies as an insider threat.
When considering insider threats, a company is playing defense 24/7. The threat actors only have to be right one time. An organization needs to be right all the time because it only takes one intrusion or one theft of proprietary information to do irreparable damage.
The Intersection of Physical and Digital Security
In about 30% of companies today, both the digital security teams and the physical security teams are reporting to the same manager. This is a huge transition from traditional reporting lines, and we're just barely scratching the surface. As the world becomes increasingly digital, the separate roles of CISO and CSO is morphing into one singular role for a senior leadership position in security. If companies need additional expertise in either digital or physical security, they can hire or contract out for those roles, but having an executive who possesses vision, understands company strategy, and appreciates the value that security brings to an organization as an enabler of the business, is a different skill set than someone who is focused on the digital or physical remediation from a security perspective. Those practitioners will always have a place in security, but security at the upper level will merge into a single position that allows for the overarching protection of the company and its employees.
An organization’s success is dependent upon the business and security teams working together in order to be successful. Members of the security team must become students of the business to know what they're working to protect. Otherwise, there won’t be room for growth and innovation.
On the other hand, the business needs to understand how security, and in many cases, information security, enables the business to be successful. This involves investing in technology that allows the information security team to adequately address vulnerabilities, to mitigate those vulnerabilities from an IT perspective, and to conduct the right analysis that shows disruptions to the network. This partnership between security and the business is what empowers companies to excel.
Being Open with Employees in the Event of Potential or Ongoing Threats
There are three inexorably linked challenges with insider threat events: technology, transparency and trust. All organizations need to have technology. If they don't have trust, then the technology will be misused. If they don't have transparency, there is no trust. Each “T” plays a critical role in ensuring that employees feel comfortable using the technology, that they believe their leadership is being transparent with them, and that they trust the organization is doing the right thing. These three things help to mitigate insider threat possibilities, while at the same time educating and developing a culture that rewards employees for being honest and transparent.
Companies need to be upfront about the notion of insider threats. This can involve internal training to inform employees about how and why these attacks are perpetrated, and the techniques that threat actors use to influence employees to engage in insider threat activity. Insider threats should be investigated thoroughly and fully from the point when it is identified to the point when it has been resolved. Waiting to disseminate this information until all the players have been identified could be potentially disruptive for the company. The goal is not to terrify employees, it is to educate them. Maintaining an open dialogue and clearly communicating before, during and after an event is invaluable in building employee trust.
Further Protection From Insider Threats
Establish a clean desk policy for employees. This relates to both physical and digital workspaces. In an office, employees should ensure their desk is cleared of sensitive materials like open laptops, passwords, and thumb drives, and that it’s locked away. Employees who might be working in public spaces like a coffee shop should be aware of who is around them, and use devices that prohibit other people from viewing their screen, especially if they are not directly in front of it.
Employees need to be especially vigilant when traveling for work, as hotels and airports are notorious for being gateways for threat actors. Plugging into an airport jack almost guarantees that bad things will be introduced into a computer. And in various parts of the world, governments have different authorities with varying cyber protocols.
What about that employee who is working non-traditional hours? To parse the difference between an insider threat and an employee burning the midnight oil, businesses should prioritize developing a culture that is accommodating to employees who work at different times and different paces. Organizations and their leaders should be maintaining normal and routine communication with employees and teams. Just because an employee is remote doesn't mean they shouldn't have regular and transparent interactions with an organization’s leadership.
