In cyber security, the “Insider Threat” refers to potential actions taken by people within an organisation that can cause harm, as opposed to hackers attacking from the outside. Sometimes an insider takes actions maliciously with intent to steal data or cause damage. In other cases, the insider takes actions accidentally by clicking a link or sharing information because they make a mistake or don’t understand the consequences of their actions.
The challenge for a small business is to find ways to allow people to do their jobs, while at the same time protecting the business from insider actions that pose security problems.
On the one hand, employers want to trust their employees and allow them to carry out their duties. Setting up many road blocks for employees can slow down the business and affect its ability to operate. On the other hand, employers need to protect themselves from potential loss, sabotage, or at a minimum negative press. Although this is a difficult problem, companies can take steps to defend against this threat.
Before a company can implement a successful security programme, the executives or owners of a company must be aware and believe that the threat exists. The executives are responsible for making the decisions that protect the business and must buy into and sign off on any security programs. Business owners must also help enforce the security program.
- Security Policy
A clear, written security policy should inform employees what they should and should not do. In some cases, employees may not realise how their actions can cause damage. Inappropriate access may simply be a result of curiosity more than malicious behaviour. Sometimes employees just want to do their job or help someone and do not understand the consequences of risky actions.
A policy makes it easier for employees to decide what actions to take. A policy will make it easier for an employee who follows the rules to say no to a person using social engineering tactics. If there is no documentation or the employer does not inform employees it exists, the employer may have no recourse if an employee takes actions that cause security problems. The company must also have proper evidence showing an employee did not follow the policy and enforce the policy consistently.
The policy alone will not do any good if employees do not know it exists or what it says. Effective training involves more than simply handing out a document and having employees sign it. Employees are busy and overloaded. The ability to influence behavioral changes may be improved by integration of training into the process employees use to do their jobs,
- Segregation of Duties
Segregation of Duties or Separation of Duties involves structuring work in a way that requires more than one person to carry out a task. Financial processes often follow this principle. Organisations can apply this principle to IT security by having, for example, one team to create accounts and permissions to access data, other teams to process data and a separate team to manage encryption keys.
Every organization is different and will need to decide which of processes and data are most critical. After figuring out what needs the most protection, design the related systems and processes to limit access to what is necessary for an employee or system to do the job. Implement an organisational structure that avoids giving a single person full access to all systems and data. Incorporate checks and balances into processes handling sensitive data.
Rather than distrust employees or create stringent systems to enforce rules, an organisation can set up monitoring and alerts for security-related actions. If an employee acts outside of company policies, employees can receive more training. If an employee consistently disregards security policy, organisations can take the actions written in the policy.
Monitoring needs to comply with the privacy laws applicable to the organisation and locations in which it does business. To trust the data from monitoring systems, the monitoring systems themselves must be secure. Monitoring is not a purely technical control and requires human involvement.
- Incident Response
In the case of an incident, how will your company respond? A small business may use a managed security services provider to help in cases like this if full time security staff is not possible. Do you have the backups to quickly restore your business operations? Do you have the necessary logs to figure out what actions the insider took? Are the logs secure or could they have been deleted or altered? Considering these things before the incident may help a business recover from an incident with minimal damage.
Defending Against Insider Threats Protects Everyone
Creating defensive measures to prevent insider threats helps not only the business but your customers and employees. Organisations protect themselves from the consequences of a data breach, including negative press and financial loss. Customers benefit from data protection. Employees find it easier to do their work securely by following straight-forward policies and understanding why they exist. Policies and well-informed employees will make it difficult for a person with malicious intent to trick or coerce employees who are following the rules into taking harmful actions. System architecture and process design can limit data loss. Monitoring can help alert organisations to unwanted activity.
Involving employees in security efforts allows everyone to understand and contribute to improving the effectiveness of security programs.
About the author
Paul Sadler, APAC Marketing Manager from WatchGuard Technologies