Protecting Your Company’s Data: An Insider Threat Checklist
By Val LeTellier, Senior Cybersecurity Consultant
Employees are the backbone of any organization. However, their legitimate access to internal systems poses great risk to a company’s private and proprietary information — even more so than hackers. This danger can range from the disgruntled employee copying sensitive corporate data and selling it to the competition, to the well-intended employee who accidentally or unwittingly allows bad actors access to company systems which culminates in a data breach. While this “accidental” threat has a low probability of incidence, it can create catastrophic damage to a company when it does happen. Regardless of their origin, the insider threats that companies of all sizes face are broad and complex. They require an unflinching commitment to constant vigilance.
Potential insider threats can be divided into the following three categories:
- The Unintentional Risk: This is someone who does not know what information/accesses they should be protecting nor do they know how to protect themselves from cyber threats. They may unwittingly give away sensitive information through discussion with a vendor, unintentionally provide a hostile actor access to the computer network by using poor cyber security practices or go to work for a competitor and disclose proprietary information because they are unaware of their obligation to protect their prior employers’ information. These are the employees that are most likely to mistakenly click on a web link or email attachment that inserts malware into the company’s network.
Generally, this is the most likely type of insider threat to occur. While the damage is usually minor, each mistake increases an organization’s overall vulnerability. For example, when such employees are not incorporated into a company’s overall risk mitigation plan, they can pose a much larger threat to the company. That’s because they are much more likely to become a “conspirator” after being exploited or manipulated by an advanced outside actor. The first time it might be a relatively harmless mistake. The second time, they might be acting with intent to try to cover their tracks.
- The Lone Wolf: This is someone who acts maliciously and knowingly takes information to use for personal gain or in support of an ideology.
- The Conspirator: This is someone who acts maliciously and is working directly with a hostile outside actor, such as a competitor or nation-state actor, to steal information.
An employee with malicious intent can also enable a cyber-attack – individually or in connection to an outside entity – to harm a company. The outside entity can be nation-state sponsored, an organized crime group, or a hacktivist organization.
Difficult to Mitigate, But Resolvable
These threats are more difficult to mitigate but can be addressed through strong information security governance, advanced training for key personnel, sound human resources processes, software solutions/technical measures, and leveraging corporate and IT security resources. Compartmentalization of sensitive and important information can help as well.
How to Know if You Are Vulnerable
TorchStone utilizes comprehensive vulnerability audits to diagnose that a cyber threat or vulnerability exists. These multi-step assessments start with the collection of data critical to analyzing the presence of insider threats. The checklists outlined below summarize the questions all companies are encouraged to consider regarding their vulnerability to an insider threat.
- Do you have a dedicated person (or persons) with responsibility for cyber security?
- Do you have a dedicated person (or persons) with responsibility for detecting and responding to an insider threat?
- Do you have a dedicated person (or persons) with responsibility for managing a cyber-attack or incident?
- Are key functions related to cyber threats integrated or stove-piped?
- Do you have a clearly defined program for cyber security, insider threats and sensitive information protection?
- Is someone actively tracking and analyzing security incidents?
- Does the organization have an incident response plan?
- If so, how has it been validated and tested?
Policies and Procedures:
- What policies, if any, do you have related to cyber security, information security, etc.?
- How knowledgeable are employees about these policies?
- How confident are you that your personnel are adhering to security guidelines? These three examples fall under this umbrella:
- How are new personnel hired?
- What information do they provide when they join?
- Are there protocols in place to ensure mandatory cyber security and general computer training are administered prior to granting network access and/or access to sensitive information?
- Are personnel adequately educated on the legal agreements they sign during onboarding to protect sensitive information?
- How are personnel off-boarded?
- Do they receive an interview from a manager, human resources, or legal?
- Are they reminded of the legal agreements that they signed during onboarding?
- How does the organization determine when security policies and procedures need to be reviewed with employees?
Education and Training:
- Does your organization provide adequate education on cyber security and the importance of protecting sensitive information?
- Are employees able to apply lessons that they learn from education or training?
- Is the training tiered to the level of the employee?
- Do personnel with access to sensitive information receive any additional monitoring such as the use of data loss prevention software?
- Does the information technology staff conduct traffic monitoring?
- How robust are the processes and practices from a security perspective?
- Does the organization do an adequate job of segregating access to sensitive information?
- How is this process managed?
Ultimately, an insider threat program, even a comprehensive one on employees’ sound practices and programs, will be ineffective unless your network is also secure. Adversaries will always prefer to enter remotely if possible, through a technical gap in a company’s network security, than to target employees using resource-intensive collection operations. Hence, TorchStone always advocates for a holistic and comprehensive cybersecurity posture that addresses not only the human element, but also the information technology architecture.
In recent years, data breaches have caused enormous damage, and in a few rare instances, have even brought down entire companies or their executive leadership. A TorchStone insider threat program can provide a quantifiably positive impact to your organization through the reduction this very real risk. Contact us to learn more.
Val LeTellier has twenty-five years of risk management experience in the public and private sectors. Prior to providing security consulting to Fortune 500 firms and government agencies, he ran intelligence, counterintelligence, and security operations as a CIA Operations Officer and State Department Diplomatic Security Special Agent. Mr. LeTellier holds an MBA, MS in Systems Management, BA in Political Science, an Information Systems Security Certificate, and is a Certified Information System Security Professional (CISSP).