5 things security executives need to know about insider threat
Insider threat is, unfortunately, an issue that has not yet received sufficient priority. According to the 2018 Deloitte-NASCIO Cybersecurity Study, CISOs’ top challenges remain “budget, talent and increasing cyber threats,” and to some, insider threat doesn’t even make the list of top-ten priorities.
Considering what’s at stake – and our 21st-century ability to see signs of, and ultimately prevent, insider threat – this is a phenomenon security executives can no longer afford to ignore. Specifically, leaders need to know these five things about insider threat:
1. Don’t underestimate the business threats that stem from within
Cybercrime is becoming increasingly common and expensive – the average number of breaches that occurred in 2018 (145) increased 11% from 2017, costing an average $13.3 million. And, according to Verizon’s 2019 Data Breach Investigation Report, more than one third of breaches that took place during November 2017-October 2018 involved internal actors.
2. Disengaged employees are usually grown, not hired
Companies know that with every new hire, they naturally run the risk of making a bad hire every once in a while. That’s why many already conduct pre-hire background checks, and why some even instate “new-hire” periods where employees aren’t yet entitled to certain benefits or granted access to confidential information.
These steps aren’t enough. As time goes on, events arise in an employee’s personal life that can impact their performance in the workplace. Maybe they have a lot of responsibilities outside of work that they’re struggling to juggle. Or perhaps they just bought a new house or car and ran into unforeseen medical, education or elderly care expenses.
This kind of stress can drive otherwise ethical employees toward contemplating putting the company at risk for their own financial gain – i.e., stealing office supplies, stealing intellectual property, lying on reimbursement forms, etc.
3. Disengaged employees exhibit warning signs
The good news is that insider threats like these are often precluded by observable patterns of behavior that usually boil down to one thing: stress.
Stress might manifest in an employee being less present and productive – according to Gallup, stressed and disengaged employees are 37% more likely to take time off from work, and the companies they work for are 18% less productive and 15% less profitable. Or, in more extreme cases, stress might manifest verbally in conversations with clients and coworkers; physically; or in an employee concocting some sort of malicious plan.
4. Continuous evaluation enables leaders to compliantly see employee risk indicators
Continuous evaluation solutions alert business leaders to employees exhibiting these early warning signs. In addition to what a background check would typically screen for – criminal activity, chiefly – continuous evaluation solutions can be customized to also screen for other factors of interest: workplace violence, customer service reviews, suspicious financial or internet search activity, etc.
They may also allow for anonymous reporting, so that if individuals witness concerning behavior firsthand, they have an opportunity to relay that information without fear of repercussion from the individual. This ability is especially crucial for workplace sexual assault or harassment cases.
All this must be done compliantly. That’s why employee consent can be included in the onboarding process, and why some continuous evaluation solutions feature an automated review process that ensures a standardized workflow for verification and investigation by HR, Legal, Security and Compliance. And, with the Equal Employment Opportunity Commission (EEOC) and Fair Credit Reporting Act (FCRA) in mind, they also include employee privacy protections and legal guardrails to ensure a fair and equitable process that eliminates bias and favoritism.
5. Early and ongoing discovery enables leaders to intervene before behaviors escalate
Warning signs should never be ignored. Acting sooner rather than later gives security executives the ability to work with other members of the leadership team or HR to prevent an employee’s problem from escalating.
By acting quickly, leadership can have HR can reach out to an employee and engage them in a conversation to try and understand what factors maybe causing their stress and noticeable change in behavior. Then, business leaders can make efforts to help alleviate the employee’s stress, perhaps by lessening their workload, offering flexible hours, or, if it’s an issue that’s outside their immediate control, connecting them to an employee assistance or wellness program, or an outside resource – financial planner, medical professional, etc. – that can provide the appropriate assistance.
Clearly, companies have a lot to lose by overlooking insider threat, something security leaders now have the ability to quickly identify and mitigate. Aside from being something they should do, leveraging early and ongoing evaluation to see and prevent insider threat is something security executives must do, for the business, its employees and the people it serves.