Quick – name a security risk to your business that represents over half of security attacks.
Did you think “people inside my business?”
Probably not. Yet the 2015 IBM Cyber Security Intelligence Index found that over half of security attacks came from within: 31.5 per cent from malicious insiders and 23.5 per cent from inadvertent actors. And this is no exception; security studies consistently demonstrate that the majority of issues originate within the victim organization.
The popular paradigm of the mastermind hacker is misleading – there is an inherent risk in business/partner relationships. Anyone with privileged access to data and IT systems poses a serious threat.
It’s called insider risk. And “insiders” means everyone from former employees to current ones to contract workers and business partners.
The motivation for an intentional internal attack can range all the way from financial gain to extortion. Cyber security can also be compromised by carelessness – weak passwords and lost devices.
There are ways to mitigate. Considering incorporating an insider risk management program, with the following components:
- Engagement and hiring
Have contracts in place that clearly outline your security policies and procedures when hiring employees and engaging contractors. Your contract should also seek explicit legally binding consent for your organization’s monitoring and enforcement programs; this exercises appropriate, lawful due-diligence that will protect the corporation in the event of a cybersecurity infraction.
- Training and education
Training and education should occur on a continuous basis, not just when onboarding. This keeps security top-of-mind; it ensures everyone understands your cyber risk policies and procedures; it keeps everyone up-to-date; and its helps protect you from carelessness. Ultimately, it makes your organization better able to identify, understand, resist and respond to cyber threats.
- Risk assessment policies and procedures
Technology never sleeps. Periodically, assess policies and procedures to identify and prioritize changing requirements. Then implement any required changes – using straightforward explicit language – to ensure ongoing safe use of IT systems and data.
- Monitoring and enforcement
Procedures are only effective if they are monitored. Be diligent in assessing and routinely testing that anyone with access is compliant with your procedures. During high-risk periods, consider enhanced monitoring, encouraging everyone to promptly report any suspect behaviour.
- Incident response plan
Create a comprehensive plan that responds to insiders who are suspected of having caused or contributed to a cyber security incident. Then test it.
- Disengagement
When disengaging an insider, follow appropriate, lawful procedures. To minimize risk:
- Revoke all access to the IT system
- Retrieve organizational assets, such as storage and computing devices
- Take steps to ensure that no privileged information exists on a personal computer, including reminding the employee of their legal obligation to return or delete any company information upon termination.
- Remind the insider of their ongoing legal obligations to the organization, to dissuade any retaliatory action.
- Physical and technological
Hand-in-hand with your administrative policies are physical (e.g. entry cards) and technology-based security systems. Each of these should be able to detect and prevent unauthorized access, seeking a lawful and reasonable balance between security and suitability in the workplace.