On several occasions in the past, as a guest speaker during public forums on cybersecurity and data privacy, I got mixed reactions to survey results showing that bigger threats were coming from insider attacks. Some would nod their heads in agreement, while the majority would appear to be surprised, perhaps realizing the truth of it for the first time.
My audience oftentimes consisted of board members, the C-Suite, managers and supervisors. It was obvious then that higher-ups tend to overlook this very important element of information security.
The real threats
An insider threat is a malicious threat that comes from people within the organization who are privy to confidential/sensitive information and have legitimate access to internal systems. When these insiders exploit their privilege, the crime can be precisely targeted and more damaging because they are likely to know the organization’s valuable information, where it resides, and how to access it.
Profiling the insider
It is important to understand the profile of people involved in incidents related to insider threats. Typically, an employee starts his job with honest intentions but becomes a threat as he learns more and gains deeper understanding of how the organization works. The threat may materialize depending on the employee’s circumstances such as job dissatisfaction, interpersonal conflict, workforce reductions and financial difficulties.
According to a PwC survey, rogue employees often exhibit telltale behaviors before they commit a crime such as erratic work schedules, increasing policy violations, drops in performance or attendance, or uncharacteristic comments made to co-workers. Sometimes, these signs are apparent to external threat agents, who will grab such opportunity to lure them into committing crimes, especially those who are looking for new employment or financial gains.
An equally relevant personality who can be a source of insider incident is former employees. Considering that they also know the business and are privy on certain highly confidential and sensitive information, external threat agents can use them either to get, or feed them with information that can cause damage to the organization and/or its customers.
The same would be true for the organization’s partners, suppliers and contractors – the extended organization – who, by virtue of their day-to-day business interactions with their clients, have privileged access.
Background screening and data privacy
Employee verification process is a standard and/or default activity done by all organizations when hiring employees. It is considered one of the most critical factors toward preventing insider threats. However, among all the organizations out there, how many take the time to carry out a rigorous and extended background screening of potential employees?
What about the extended organizations – the messengerial, janitorial and IT service providers, for example? Do organizations bother to check how these third-party service providers ensure the integrity of the people deployed to their clients? Most often, there is a gap in this process.
Now, with the implementation of Data Privacy Law in the Philippines, it would seem that this employee verification process becomes more challenging. This is, at least, from the perspective of Human Resource (HR) practitioners who will have to get an explicit consent from the applicant (data subject) to be able to obtain the complete and quality information from concerned parties. This will help them in making informed hiring decisions, thus protecting the organization and its customers from possible insider incidents.
What should the organization do?
In managing crimes that could arise from insider threat, it is important to understand that insider risk management cannot be done by a single business function alone. There has to be cross-functional collaboration, and a disciplined, risk-based approach to effectively manage it. It also demands active involvement from the board, which has oversight responsibility for protecting stakeholders’ interest stakeholders’ interest and driving management to execute a specific insider threat management program that is aligned and integrated with their business, cybersecurity and data protection strategies.
Specifically, organizations can implement the following best practices to prevent possible insider attacks:
1. Incorporate insider threat into the organization’s enterprise risk assessment.
2. Implement well-designed policies that directly address the factors that motivate insider threat factors to commit crimes. On hindsight, most of these factors are actually controllable.
3. Expand the employee screening method from the typical reference check and background check with
educational agencies and previous employers. Include social networking and credit card history checks. For existing employees, consider implementing a cycle-based background check.
4. For extended organizations, aim to check their recruitment and screening process. Obtain related certification/s supporting the effectiveness of internal controls (ISAE 3402, SSAE 16/18) as part of the organization’s due diligence.
5. Implement a sustainable internal information security awareness program within the organization. Run it from time to time so that insider incident attacks may be prevented or detected right away.
6. Implement strong technical controls that include restricting the use of portable devices such as flash drives and mobile devices to prevent copying of confidential and sensitive information.
7. Maintain a clear documentation of insider threat controls and enforce consistent implementation.
In today’s threat environment, it is imperative to bring all insiders together and behave in a way that keeps the organization safe. It is, indeed, quite uncomfortable for organizations to know that its own people whom they consider as its most important asset can actually be its biggest threat. Sadly, they have no choice but to bite the bullet and implement the necessary measures to avoid exposure to these insider threat incidents.
* * *
Maria Rosell B. Santillan-Gomez is the Risk Assurance partner leading the technology and financial services practice, and Global Technology Solutions partner of Isla Lipana & Co., a member firm of the PwC network. For more information, please email email@example.com. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.