Contributed by Renee Small
According to the Ponemon Institute’s 2017 Cost of Data Breach study, 47% of the organizations represented stated that the root cause of the security breaches they suffered was a malicious or criminal attack. Respondents reported that breaches caused by criminal attacks were costlier than system glitches and human error. Some of the largest and most infamous breaches have been classified as insider threats. There are numerous technologies in the marketplace that do their part to help organizations protect themselves against insider threats, but having the right technology isn’t enough to stop these kinds of threats. A thoughtful insider threat program that addresses technologies, policies, and procedures is needed to combat insider threats. There is a human element in every single breach. Sometimes, it’s a malicious actor with the intent to harm the company and ensure that they benefit; other times, it’s an employee who accidentally clicks on a phishing email, for example, and unexpectedly exposes the organization to malware. So, the question remains: What can we do to prevent this from continuing to happen at this scale and how quickly can the incident response team find the breach when it inevitably does occur?
One area of the organization that seems to be overlooked or underutilized for using detection strategies and combating the insider threat is Human Resources. It’s typically not the first area that security leaders think of when focusing on insider threats, but it should be. HR professionals bring a diversity of thought that is inherently focused on human psychology and is typically different from the technologist’s point of view. Similar to how the enterprise risk management groups in larger organizations are viewing and assessing all types of risk across the company, HR sees the patterns of various employee issues that are happening across the organization and may be able to spot trends in certain departments or employees before they do harm to the company.
HR should play an integral role in an insider threat program with multiple touch-points throughout an employee’s career (beginning at the hiring stage) according to the CERT Insider Threat Center. CERT also provides a list of best practices that organizations can adopt to shore up their insider threat programs. The ones that are easier to implement and provide the biggest impact include:
Mature your insider threat program
Implement or mature your current insider threat program to include the broader organization––IT, HR, legal, enterprise risk management, and other areas of the company. Due to the sensitivity and confidentiality of this work (potentially probing into an employee’s private life), it is important to utilize HR as a starting point for policies and for ensuring that HR employment laws align with the program.
Track terminated employees
Since 70% of insider threat incidents are completed within 60 days of an employee leaving the organization, you should have HR provide an automated list of voluntary and involuntary terminated employees.
Improve employee engagement
Preliminary studies show that engaged employees who are fulfilled in their jobs are less likely to pose an insider threat. Partner with HR to understand best practices for maturing employee engagement programs.
Develop a watchlist of employees with behavioral indicators
HR will be essential in creating a list of employees who are exhibiting behaviors that could be an indicator for insider threats. Some examples are frequent policy violations, disruptive behavior, financial hardship, and job performance problems. Disgruntled employees are a consistent factor when it comes to insider threats.
Add insider-threat awareness training to overall security awareness training
At this point, a majority of organizations have security awareness training for their employees. Partner with HR to add insider threat awareness to the security awareness training. Like other training that is mandatory, ensure all users have completed the training and provide refreshers throughout the year so employees stay abreast of red flags and can spot malicious or accidental threats when they see them.
Companies have been successful by making updates to:
Pre-hiring practices
Larger organizations have pretty robust background check processes when hiring employees; however, some of the smaller companies must continue to mature their hiring practices by updating policies to include Google searches and social media searches. Since past performance is an indicator of future performance, this additional data check can help with hiring decisions and determining if the candidate could pose future employee issues.
New hire on-boarding
During on-boarding, the new employee is provided with mandatory training. Insider-threat awareness training should be added to the training deck an employee must complete. It can also be administered during the times of the year that there may be higher cases of security breaches or insider threats.
Mandatory vacation policies
Many organizations have roles––typically in finance, payroll, or trading––where the employee is subject to mandatory vacation. These policies should be expanded to some high-risk IT roles where employees have access to admin rights that could be a threat to the company if used maliciously.
In conclusion, there is no question that policies, procedures, and technologies are necessary in trying to prevent and detect insider threats; however, in order to minimize the damage of breaches in the future, there should be a multifaceted approach with an emphasis on a partnership with HR to provide the best barrier of protection against your own employees.
Renee Small is the CEO of Cyber Human Capital, and author of the Magnetic Hiring: Your Company’s Secret Weapon to Attracting Top Cyber Security Talent. Download a free copy at www.magnetichiring.com/book.
