The human factor is the biggest risk to any organization, whether as an external adversary or an internal threat, says Michael Veit of Sophos.
It is usually employees who click on phishing emails, inadvertently forward emails coming from outside to everyone, forget data carriers, company cell phones or laptops on the train. Applications are also often incorrectly configured or not properly maintained. This increases the vulnerability and the possibility of something going wrong.
All of these are deliberate or inadvertent violations of internal business rules. In the worst case scenario, this could result in a breach of regulatory requirements, which could lead to the company having to make a mandatory disclosure of a data breach and all associated measures.
Positive error culture and educating the workforce
It is important for organizations to strike a balance between educating employees and developing a positive attitude and culture towards cyber threat resilience. This includes implementing clearly defined processes to maintain this culture and selecting the technologies that best suit employees and processes to mitigate threats and minimize risks.
The first step must be a clear separation between the private and working lives of the workforce. This means that company devices assigned to employees are just that: company devices. For personal activities, private devices should be used.
For employee acceptance and cooperation, it is essential to inform them about their privileged access to tools and platforms that help them perform their tasks. Open communication about expectations regarding the handling of internal information has proven to be a best practice. Raising awareness of sensitive data should become a natural part of the culture.
Everyone must support a healthy error culture
But how can companies create an environment in which employees feel encouraged to report suspicious activities? Raising awareness and building a positive corporate culture is a key factor in promoting cyber resilience.
The attitude here is (unshakably) that every incident is a learning opportunity. There is no wrong or ridiculous here – only in this way can each and every individual learn what can be done better. It is also a way to encourage cross-departmental collaboration and initiate corrective action.
And the same applies here: every organization is only as strong as its weakest link. If IT leaders have initiated a process to build a strong and healthy culture to minimize insider threats, but do not have the support of senior management, the board or even a single department, this leads to inconsistent business practices and fosters a situation where a risk manifests into a security event.
The damage caused to companies by insider threats is immense
Data leaks and data loss are often due to insider threats, where information that is sensitive to the organization is sent out unchecked. Although this information would normally be classified as confidential within the business context, it now becomes “public” in the sense that non-validated individuals can read this information.
Data destruction is also a very typical action where the organization is stripped of the integrity and availability of information so that it no longer has access to important information – which can have a direct impact on the organization’s ability to operate. Data destruction is often associated with ransomware operators, but is occasionally due to insiders. The moral of the story is that a malicious insider can not only steal sensitive information for personal gain, but can also destroy it or take it from the organization entirely in order to extort a ransom for the return of the data.
What can companies do against insider threats?
Insider threats are difficult to predict and control. Therefore, preparing for the impact an insider could cause is one of the most important processes to manage. Training employees in the proper use of business systems and understanding of business processes can go a long way in preventing mistakes related to accidental data outflow and data leaks. Implementing technical controls that govern access to data and systems where sensitive information resides is just as important as monitoring the results of these controls and responding to policy violations that could be indicative of malicious activity. Ensure that employees are satisfied with their work and give them the support they need from management to make the best use of their skills.
External and insider threats must be treated equally as a potential risk to an organization. Insider threats must be included in incident response planning meetings. Not every insider will become a threat, although they at least have the potential to do so.
is a Security Expert at Sophos.