Business competition in most industries is brutal and getting worse. With globalization, you now must compete with the entire world for market share. In addition to threats from the outside, however, there are several lethal insider threats to a business. The most potent insider threats include remote working, cybersecurity, and intellectual property theft.
The number of possible lethal insider threats to your business is limited only by human imagination and the laws of physics. Below is a shortlist that barely scratches the surface. Treat it as a mind stimulant to get you thinking.
Malicious employee or contractor
Two kinds of malice are relevant here: Greed and a grudge against the company or one of its agents. Greed can motivate someone to steal from the company, and computer technology provides many ways of doing this. However, vindictive malice is even worse because it can motivate an insider to damage the company out of sheer spite. Such an insider might, for example, provide sensitive company data to a competitor.
When third parties become insiders
An outsider can become an insider when:
They infiltrate your organization as spies by seeking and gaining employment with your company.
You grant contractors or vendors access to your network.
The resulting damage can be catastrophic. Don’t expect a contractor, a vendor or a new employee to care as much about the welfare of your company as you do.
Telltale signs of a potential insider threat
A few indicators that the security breach you have been fearing is already taking place (and may have been taking place for quite some time):
Efforts to sidestep security procedures by one individual consistently or by entire departments
Employees in the office before or after work hours for no apparent reason
Disgruntled employees or employees who might have a reason to become disgruntled (watch these employees very closely)
Downloads of unusually large amounts of data
Use of unauthorized (private) storage devices
Data hoarding
Duplication of sensitive files
Your company’s security procedures should be that no one can engage in any preceding activities without someone else noticing.
Easy ways to do a lot of damage
When security threats are the topic, people tend to think of sophisticated, high-tech instructions. Some of the most significant security threats, however, are some of the simplest. Some common examples:
Stealing company data using a USB stick.
Stealing or copying a hard drive.
Misconfiguration of network security devices such as firewalls.
Carelessly hitting “forward” on an email, thereby allowing an outsider to read an entire chain of emails that includes confidential company data.
Misusing privileges to gain unauthorized access to data.
Ultimately it is nearly impossible to eliminate threats like these. The best you can do is to enforce a robust company-wide security protocol.
The following are a few thoughts on how to manage company security risks from insiders.
Periodic security assessments
Hire a professional to conduct periodic security assessments. The assessment should identify your company’s critical assets, assess its most serious vulnerabilities, and provide recommendations. A security assessment designed to identify external threats can easily be modified to identify internal threats as well. For example:
Hire someone reputable to break into your system to see if it can be done and how it can be done
Find out how many of your employees maintain passwords like “password” or “12345678.”
Respond to this assessment by establishing and updating appropriate security measures to eliminate any identified security threats.
Install security hardware
Physical security controls include routers, switches, firewalls, servers, etc. These measures can range from low-tech to high-tech. A simple lock on a door is an example of a low-tech solution; a hardware firewall is a high-tech solution. Security cameras are somewhere in between.
Reform hiring practices
Insider threats come from people who were once outsiders. Hiring someone is a tremendous risk, and you should treat it as such. Perform thorough background checks on all applicants.
Thoroughly train employees
Effective training is costly because it takes time, and time is money. However, no security system will be effective until employees are trained and motivated to implement and enforce it.
Distribute information on ‘need to know’ basis
Implementing a “need to know” information distribution system restricts the amount of data available to malicious employees. It also helps categorize information into individual employee accounts, so a single data breach does less damage.
Perform 24/7 network monitoring
Monitor each area of your business, including the on-premises, remote working, and cloud environment, all the time.
Employee termination
When an employee leaves the company, whether voluntarily or by termination, it is essential to immediately remove their access to all affected systems. You may even decide to immediately walk the person out of your company even if your employee gives the company two weeks’ notice.
Jonathan Schmidt is the principal attorney with 303 Legal, P.C. He practices in the areas of business and litigation. He can be contacted at jonathan@303.legal or www.303.legal.
