In Part 1 of this article (inspired by the Department of Defense designating September as National Insider Threat Awareness Month), we discussed how to respond when employees pose an unintentional threat to information systems security. But what if the threat is intentional?
No one wants to think that their employees would maliciously act against the best interests of the company or its clients. But the 2018 Global Study on Occupational Fraud and Abuse revealed over $7 billion in total losses within a 22-month period – all due to occupational fraud. And small businesses lost almost twice as much per fraud scheme as larger companies.
The Intentional Threats
The forms internal threats take are as varied as the reasons why people are willing to abuse the trust employers place in them. Here are just three examples.
Firstly, there’s the hacker. (I’m using the term loosely here). This employee wanders around your information systems out of curiosity or boredom, checking out files and experimenting with tools and applications. Without meaning to, the hacker can “lose” files or corrupt data because they don’t fully understand the implications of what they’re doing. Even if data isn’t lost or harmed, the hacker can accidentally create security vulnerabilities. The employee who wants to surprise co-workers or IT team members with an “improved” version of an application or database is another variation of the hacker.
Secondly, we have the fraudster. The fraudster is the person most of us envision when we think of an internal threat. They access company data for unethical or illegal purposes. For example, the fraudster may steal employees’ or clients’ identities to sell or use. Creating bogus vendor accounts to misdirect company funds is another common ploy. The fraudster may also expose confidential information or steal the company’s intellectual property. Of course, there are lots of other schemes as well.
Finally, a disgruntled (former) employee may misuse access to information systems to embarrass or hurt the company in revenge for a real or imagined slight. The actions the disgruntled employee takes often aren’t that different from those of the fraudster, but now it’s not about financial gain. It’s about doing as much damage as possible. Attacks may be directed against the company as a whole or target specific co-workers. The employee intent on exposing company “wrongdoing” to further a personal political or social cause is a similar situation.
How to Protect Your Data
So how can you mitigate the risks posed by these individuals? We’ve already talked about the need to control system access in Part 1. Users’ access needs to be restricted to the information needed to complete their job tasks. System defenders also need to remind users frequently not to share their login credentials and/or passwords with ANYONE else – even fellow employees.
But that’s only the first step.
Track Employee Activity
Even if employees aren’t going outside their approved access, it may still be desirable to monitor their activity in the system. Fortunately, it’s a lot harder to conceal activity than most people think. Enabling audit trails and logging system activity lets IT personnel know who’s on the system and exactly what they’re doing – down to the keystroke level, if necessary. Implementing such measures before an incident occurs is ideal, but forensic software can also be installed after the fact to help determine the source and scope of a breach.
It’s important to inform employees that their activity is monitored – although the specifics of how should be kept strictly confidential. Depending on the state, such notifications may be required by law. More importantly, it’s the ethical thing to do. Information system security isn’t about playing “gotcha.” Even employees who would never dream of doing anything unethical or illegal can get nervous at the thought of Big Brother hovering over their shoulders. Honesty and transparency (within reason) help diffuse this discomfort. Additionally, communicating that security measures are in place may serve as a deterrent. They can also help exonerate a falsely suspected team member.
On a related note, make backups of system data often and keep several generations of backups (carefully labeled, of course). If information is lost or corrupted, good backups can get a company back to work quickly. Comparing suspect data to backups can also help forensic investigators. It’s also a good idea to test the accuracy and completeness of backups regularly and practice deploying them.
Know Your Team
Even with all these technological solutions, don’t overlook the value of good old-fashioned supervision. Leaders need to know what their employees are doing. Engagement with the day-to-day of employees’ work lives soon reveals which individuals have too much free time on their hands. Getting to know employees also helps identify individuals under financial or emotional stress (who may be tempted to commit theft or other types of fraud). Additionally, understanding employee morale can diffuse the threat of disgruntled employees.
Make Data Security Part of the Hiring and Exit Processes
Obviously, data security needs to be part of a company’s day-to-day activity, but it should be an integral part of a company’s hiring and exit processes. When new employees join the team, determine their access and training needs. It’s always better to create good habits than correct bad ones. When employees receive promotions or make lateral moves, reassess and update their access needs.
Again, don’t neglect explaining why they should (or shouldn’t) engage in certain activities. It’s a lot easier to sell, “Don’t live stream music over the Internet,” for example, by explaining, “It slows the system to a crawl and makes it hard to get our work done” than leaving people to imagine, “We’re a mean-spirited company that doesn’t want our employees to have any fun.”
Most importantly, when an employee leaves the company – whether voluntarily or not – terminate their access to all company information systems immediately. Update system passwords, as well as any shared passwords or credentials. (If you’ve followed my earlier advice, there shouldn’t be many of those.) Also, if an employee linked personal social media accounts like LinkedIn or Facebook to the company’s accounts, require them to disconnect or update their status before they leave. Such accounts belong to the employee, so actions a company can take are limited, but just asking can make a difference.
Unfortunately, no cybersecurity defense is perfect – especially against bad actors determined to cause damage. Technology and the techniques to misuse and abuse them are constantly evolving. Taking the steps discussed in these articles, however, provides system defenders with a head start. And educating employees about the need for and how-to of being responsible users can turn a potential risk into a powerful asset.