Insider Threats Pose Greater Risk Than Cyberattacks
With many companies utilizing more remote workforce strategies, recent months have exposed a variety of risks within workplaces that should be considered. Chris Jones, Cybersecurity Director at DELL Technologies discussed “Remote Threats: Inside Risks and the Remote Work Paradigm” during ASA’s Bonus Webinar Wednesday on August 27th, sharing “strategies to protect your company, your employees, your customers and your bottom line.”
Jones began by quoting Dr. Larry Poneman, Chairman of the Ponemon Institute: “We discovered in our research that insider threats are not viewed as seriously as external threats, like a cyberattack. But when companies had an insider threat, in general, they were much more costly than external incidents. This was largely because the insider that is smart has the skills to hide the crime for months, for years, sometimes forever.”
Insider threat is a known problem throughout the corporate world, but this danger has become increasingly more well-known since the Edward Snowden scandal of 2013. Insider threat is defined as “a person who is a trusted team member (past or present) who is either an employee or contractor, who has some form of legitimate access to your systems and facilities, and due to some stressor or motivation, they perform some action that causes damage or compromises valuable information.”
Insider threat typically falls into one of three categories. Malicious insiders are people who intentionally take advantage of their access to inflict harm on an organization, while infiltrators are external actors that obtain legitimate access credentials without authorization. The most common threat is negligent insiders who make errors and disregard policies which place their organizations at risk.
Triggers that cause intentional insider threats include unmet expectations, personal predispositions and bias, entitlement, substance abuse and money issues. These people are motivated by power reassurance, power assertive, displaced anger, sadism, and profit.
While big businesses and government spend millions of dollars on predictive learning and AI tools to mine data for indications of threat and sabotage, small businesses are in a better position because there’s no substitute for “the value of relationships and knowing your employees,” Jones said. “Employees are the most accurate and effective early warning indicator you have as long as you train them and provide a way to deal with the concerns raised – you’ve got a better opportunity to get in front of a potential problem before it becomes reality.”
“Treating people like human being and listening to them will do more to diffuse a negative situation than anything else,” Jones continued. “Have a plan for discussing problems with employees, making sure to show concern and compassion and trying to help if possible. This will create loyalty.”
If employees don’t respond to these efforts, it may be time to consider whether they’re the right fit for the company, and shop owners should also have a process for dealing with toxic employees who are unresponsive to attempts. Some indications of disgruntled employees include declining work performance, declining hygiene, mentioning interviews with competitors, indications of money problems, sudden affluence, and unapproved or unexplained changes in work hours. “These people aren’t necessarily a problem, but you need to be aware of the risk they pose,” Jones cautioned.
The immediate shift to remove work as a result of COVID-19 was unexpected and cause many businesses to change processes to some degree, particularly those that thrive on personal relationships and customer interactions like collision repair shops. According to a 2019 study, only 3.6% of Americans worked at home full-time, but earlier this year, many organizations went to a remote workforce within just a couple weeks, leading to gaps in security elements.
Negligent inside threat is enhanced by the fact that 33% of small businesses don’t train employees on identifying common cyberattack tactics, such as phishing and ransomware. Jones explored the many changes, internal and external, that have created additional risks during this time, including VPN volume, employment uncertainty, changes in user permissions, higher frequency of phishing attempts, and more.
To mitigate these threats, Jones recommended a series of tactics beginning with training. Employers should also utilize endpoint insights if available, leverage predictive analysis, constantly assess SOPs, and implement additional required MFA on individual cloud services. Furthermore, a third-party evaluation of existing security infrastructure is imperative, as is ensuring HR policies are updated and closely adhered to. Most importantly, companies should contact regular, random employee testing to identify those who may require additional testing on identifying and thwarting cyberattacks.
Shop owners who are intent on protecting their companies from insider threats should know who they are hiring, create a security culture within the organization, and identify and protect their “crown jewels,” such as their customer list and suppliers. Recognize that people are human and allow them to express emotions, including frustration, but never get in the position where only one person knows how to perform a function or has access to certain information.
Back up your data constantly, and manage risks by evaluating what risks exist and how to address them. Empower someone to lead in this protection. Jones ended with a Q&A session. For more information on ASA and future webinars, visit asashop.org/asa-webinars/.