Marketing Communications Manager at ERP Maestro.
Internal Threats: How to Stop Employees from Potentially Causing Excessive Damage
As internal cyber risks get more attention, organizations must commit to educating and training their workforce in order protect the company and its assets.
October commemorates the rollout of National Cyber Security Awareness Month (NCSAM), a national awareness program created by the US Department of Homeland Security to educate the masses on how to stay safe and secure while online. It’s a great reminder for us all to take precautions with our own data and habits while using technology.
Unfortunately, that same message doesn’t always resonate with business and consumer-facing organizations when it comes to internal threats. External threats, on the other hand, are more heavily considered and scrutinized. They make bigger news stories and garner bad PR and sentiment that can tarnish brand reputations for years. It makes sense why companies would focus more on keeping external threats at bay than internal ones, yet employees have the potential to cause more damage to the company in ways beyond fraud and identity theft.
Consider the case of ex-Google employee Anthony Levandowski, who was charged theft and attempted theft of trade secrets by the US Department of Justice in August 2019. He allegedly downloaded files from Google’s Project Chauffeur months before leaving to start his own self-driving truck company, which was later acquired by Uber, a major competitor to Google’s autonomous vehicle project.
Employees contracted by companies can also be a major insider risk, even inadvertently assisting external cybercriminals to break in and compromise data. This was the case in the Home Depot data breach of 2014 when hackers used a vendor’s stolen log-on credentials to penetrate Home Depot’s computer network and install malware to steal customer information.
Whether an employee “goes rogue” or a vendor makes a mistake, security measures and protocols must still be in place to defend against these internal threats. However, even the best internal cybersecurity strategy won’t be effective if employees don’t understand its importance and how to implement it. Consider these tips below on how to better prepare your workforce to prevent internal attacks.
Adopt a “Zero-Trust” Mindset
No hiring manager or executive wants to admit that they can’t trust their employees wholly, but it’s this type of mindset that opens the door to insider risk. Employers should accept that not every employee will act ethically or morally when given access to data or systems, therefore it’s crucial to adopt a “zero-trust” mindset when implementing a cybersecurity strategy. It doesn’t mean you can’t trust your employees to do their job or that you must micromanage them. Zero-trust simply means that there are strict rules and governance of who has access to what and that every system has safeguards in place.
Opting into a zero-trust mindset is not only safer for the company and its employees, it reinforces the message that internal threats are real and damaging if undetected.
Educate on Internal Threats
This may be an obvious tip, but as the saying goes, knowing is half the battle. Educating your workforce on the scope and severity of insider risks empowers them to keep up with best practices, utilize the safeguards in place and report suspicious activity or violations of the security policy.
To get the point across of how damaging internal threats can be, use facts and figures that illuminate their occurrence and severity:
- Nearly 75 percent of security breaches are the result of insider threats according to Clearswift Insider Threat Index report in 2017.
- The Association of Certified Fraud Examiners (ACFE) estimates that a typical company loses five percent of annual revenue to fraud.
- The 2018 ACFE Global Study on Occupational Fraud and Abuse reports that about half of fraud cases involved internal control weaknesses.
Sharing eye-opening statistics isn’t enough. Companies must spread this information and train employees repeatedly for the message to stick. Doing it once when a new employee onboards is not enough. Consider using different mediums to educate since everyone learns new information differently, whether it’s video, written documents or presentations. Doing an awareness campaign once a year along with frequent reminders in between is a great way to keep new employees in the know and remind existing employees of their responsibility to protect themselves and the company.
Monitor Employees to Reduce Risk
Even in the most trustworthy corporate cultures, mistakes still happen, and employees can be tempted to do wrong if the opportunity arises. The statistics mentioned earlier prove this. That is why monitoring employees’ access to systems and their activity within them is key.
Monitoring an entire workforce can’t be done manually though. Using automation makes sense in a corporate zero-trust environment when restrictions to data and systems should be in place. An automated access control solution can provide such processes for authorizing and revoking access, as well as instant reporting on access risks in order to fix them and reduce internal threats. This type of monitoring and analysis goes beyond applying identity/access authentication and password management, but it’s necessary when hundreds or thousands of employees (including vendors) have access to company systems and data.
These are just a few ways companies can prevent the spread of internal threats. For additional methods and training resources on combating insider risks, download our complementary security toolkit. It includes a “6-step Insider Risk Prevention and Security Training Guide,” as well as an insider risk self-assessment, employee training slides, post-training quiz, sample internal cybersecurity policy and employee security pledge.