It’s true that disgruntled employees with access to critical systems and data can intentionally cause a lot of damage, but a significant percentage of insider threats result from the actions of employees and vendors who meant no harm. Perhaps they took some shortcuts to get the job done or were just a bit careless when handling data. Whatever the reason, a significant percentage of successful cyber attacks are facilitated by the actions of well-meaning company insiders.
Failure to follow policies and procedures
This has become especially problematic since the transition to remote and hybrid work models. Either there aren’t sufficient security-related policies and procedures in place to address issues relating to remote work or employees simply fail to follow those that do exist.
Whether staffers are working remotely or in the office, failure to adhere to policies and procedures can result in data and/or system compromise. Vendors and employees can also compromise physical security by failing to comply.
Insiders may have what they believe to be valid reasons for their failure to adhere to company policies and procedures. They may simply be unfamiliar with them. Whatever their reasons, the consequences can be costly.
• Mitigation: Organizations must not only ensure that they have effective security policies and procedures in place but that they also effectively communicate them to the staff as well as any vendors or contractors with facility access. Employers must also ensure that they have visibility into their operations that allow them to identify those who are not following policy. Once identified, those insiders need to be educated regarding the potential consequences of their actions.
Failure to adhere to regulatory requirements
Many industries are subject to regulatory oversight and must comply with governmental regulations. As with company policies and procedures, the failure to comply with those regulations could increase the organization’s vulnerability to cyber threats. Failure to follow them could also result in penalties including fines being imposed.
• Mitigation – The recommendations for mitigating threats resulting from failure to adhere to regulatory requirements are the same as those for failing to follow internal policies and procedures. Employee education is key.
Taking shortcuts
Even if it’s done with good intentions, employees taking shortcuts while handling sensitive data or accessing critical systems poses a significant risk. Examples include sharing login credentials to provide needed access to a fellow employee or vendor or utilizing external resources to store or move sensitive company data. Perhaps a staffer preparing to work remotely copies needed files to a flash drive or external cloud storage account rather than using a secure company-provided remote connectivity solution to access the data.
• Mitigation – In addition to developing security policies and defining the consequences for failing to follow them, employers should also encourage input from their staffers. If workers have come up with a better way to perform some function, they should be afforded with the opportunity to discuss it with their managers or other personnel in a position to evaluate their input. Perhaps by working together, company personnel will be able to use the information provided to develop a more efficient operating procedure without jeopardizing security.
Risks related to the use of personal devices
The use of personal devices to access company resources must be regulated. These devices could be infected with malware. Sensitive company data could be downloaded to a personal device. These devices can be lost or stolen.
• Mitigation – Organizations, especially those with remote workers, should have “bring your own device” (BYOD) policies in place that address the use of personal cell phones, tablets, and remote computers. If they are not permitted to use personal devices, that should be stated in company policy. If personal device usage is permitted, restrictions and limitations relating to their usage should be covered by company policy. In some instances, personal device usage may be restricted by regulatory requirements. If it is, that should be effectively communicated to the staff. Approved methods for securely connecting these devices to company resources should also be provided if their usage is permitted.
Remote work risks
A remote employee’s home office is effectively an extension of an organization’s physical infrastructure, but one over which the organization has no physical control. The company can’t restrict access to a home office or the resources therein. This means that the organization must do whatever is possible and practical to ensure that remote staffers work securely and limit access to systems used to connect with company resources.
• Mitigation – Once again, developing and communicating effective security policies and procedures will significantly reduce the risks associated with remote work. Providing a secure connectivity solution for remote workers and requiring them to use it is also necessary for risk mitigation. Allowing remote employees to connect via a connectivity solution like RDP that has known vulnerabilities is not recommended.
Summing up…
A common theme here is the need for communication and training. Policies and procedures must be developed and effectively communicated to staffers. Employees must also be made aware of the consequences associated with failing to follow the rules. Two-way communication should be encouraged as well. If an employee finds a better way to get a job done, he or she should be encouraged to discuss it with management. Good communication and effective training combined with technical controls can significantly reduce the likelihood that a company insider will, albeit unintentionally, act in a way that puts the organization’s resources at risk.
