We all know the profile of an “insider threat”, the disgruntled employee that wants to get back at the boss, the spy posing as a trustworthy staff member, or the idealistic computer whiz that believes protected information should be public knowledge. While history shows individuals exist that fit these profiles, they do not represent the entire spectrum of workforce risk. In many cases employees that are model citizens without any motive or intent to cause harm could cause just as much damage.
Many organizations are aware of the threat; the SolarWinds 2015 Federal Cybersecurity Survey found that 55 percent of Defense Department IT professionals surveyed said careless and untrained insiders are the greatest source of threats to their agencies’ IT security. And while 66 percent said malicious insider threats could be as damaging or more than external attacks, 56 percent also said that damage like data leakage done by careless insiders could be just as bad as that caused by malicious attackers.
So how should organizations turn awareness into prevention?
Start by knowing the most likely threats. The SolarWinds survey cited above rank ordered the most common causes of accidental insider threats as the following:
- Phishing Attacks (42% of respondents identified as a most common cause)
- Data copied to insecure devices (44%)
- Accidentally deleting, corrupting or modifying data (41%)
- Using personal devices that are against company IT policy (37%)
- Poor password management (37%)
- Device loss (36%)
- Incorrect use of approved personal devices (33%)
- Not applying security updates (31%)
- Incorrect disposal of hardware (28%)
- Insecure configuration of IT assets (24%)
These vulnerabilities can be headed off in two ways 1) establishing basic information safeguards that decrease the likelihood of occurrence and 2) continuously training employees to reduce errors.
Basic information safeguards
Some information safeguards can be done for free or nearly free and others will require some investment. Poor password management is one vulnerability that should be easily mitigated. Have the IT department require strong passwords in order to create an account and require two-step verification on all accounts. Closing the loop on some vulnerabilities is just a matter of configuring settings correctly. Settings can and should be configured on most enterprise IT systems to automatically back up files, only grant rights to delete or move files to administrators, and automatically push security updates to all systems.
Beyond the free information safeguarding solutions, lurk software and services that require investment. Beware of being sold something you don’t need. Before making any IT purchases build a simple prioritization chart. Draw this grid out on poster board or a white board and use sticky notes to plot projects that will improve your information security. Some options you might consider are robust systems change criteria, log correlation entry systems, security information and event management (SIEM) systems, end point monitoring, and the integration of physical security and network security data.
Continuous employee training
Of course, all employees should be trained during onboarding in basic information security practices. But training needs to be done on a continuous basis as well. Instead of just mandating periodic training refreshers, try thinking outside the box with your training program. To mitigate the chief cause of accidental data leakage, train employees on phishing emails by conducting live exercises. On a random basis, send out pseudo phishing emails and measure how many employees clicked a link that could be malicious. This approach allows for targeted training efforts at the department or even the employee level and provides measurement of continuous improvement over time.
Lastly, training doesn’t always have to be in the negative context of preventing screw ups. Flip this on its head and start rewarding good behavior. Recognize the departments within your organization that practice excellent information security. For example, you might provide an award (like a small gift card) for the employee who uncovers the best phishing email or recognizing an IT staff member that recommended a settings or policy change that made your data more secure.
Enforcing basic security safeguards and training and rewarding good information security practices certainly doesn’t make for great drama, but it could just make the difference in protecting your organization’s most valuable assets.