(Post 4 of the Small Business Threats blog series)
Employees, every company has them. Even a sole proprietorship has at least a single employee, even if that person is also the owner. Whether your organization is large or small, the people who operate the business are its most valuable asset. Sure, they perform a work function that contributes to the overall success of the company whether that be answering telephones, operating a cash register, making sales, performing a service, or managing your company’s finances. While these roles are important, employees also directly affect the organization’s reputation and, if you pay attention to them, provide vital ideas and insight that help your organization to adapt in an ever changing market.
Most businesses maintain some version of a policy on recognizing employees for their contributions. Companies generally recognize the value of their employee assets. What not all companies do is to also consider their employees, the same people they trust to keep their business functioning, as their most significant threat.
It is quite frequent that there are news headlines and articles related to various breaches. Much of the attention in the media tends to focus on the hacker, organization, or state responsible for the attack as well as the extent of the damage. These stories often do contain information about how the attackers gained access to information, if that knowledge is available, but these details are often buried in an article and are made to be minor points. The reality is that an organizations own employees play a role in a majority of these attacks. In a 2016 article published by the Harvard Business Review, 60% of all cyber attacks involved insiders, people within the victims’ own organizations. The portion of these insider attacks that were accidental or unintentional was only about 25% meaning that the rest were malicious and that the companies’ own employees meant to do them harm.
An organization’s employees are in a unique position to both inadvertently and maliciously damage the company in ways that an outsider never could, or at least an outsider could not easily. Employees are granted access to the organization’s network resources, internal applications, and data vital to daily operation. Many times, employees are given company cell phones and laptops that allow them to access organizational email and file storage from anywhere. In general, once an individual is hired and clears whatever process the organization uses to vet prospective new-hires, they are entrusted with access to and the protection of the company’s computer assets and information.
There are numerous ways an employee can harm your company just by having access to your network including, but not limited to:
- Lose laptops and cell phones which can fall into the hands of malicious actors who would steal data, such as company employee contact information or confidential work product, from the devices.
- Carelessly open spam email and download malicious programs onto their company computers.
- Receive a call from “John from IT” and provide him with network credentials, or other sensitive inside information.
- Accidentally Introduce malware to the network by using personal optical disks (CD/DVD), thumb drives, or external storage drives on their work computers.
- Carelessly share sensitive information on social media, insecure file sharing and file storage sites, or send it to their personal webmail accounts without encryption
- Delay software and operating system patches and anti-virus updates or refuse to restart their computers or phones because it is inconvenient, leaving your organization open to the very vulnerabilities these patches and updates are meant to mitigate.
- Simply leave computers and phones unattended while logged in allowing others potential access to their account and the access that account has within the organization.
- Accidentally delete vital information that hasn’t been backed up.
- Intentionally steal information, sabotage systems, poison the integrity of data, and install malware.
Is this really that serious?
Yes, actually. Insider threats are very serious and apply to every organization, large and small. The United States Computer Emergency Readiness Team (US-CERT) has published a guide to combatting insider threats that references both Department of Homeland Security and Department of Defense studies on the issue. Additionally, the DoD provides a free online training course about insider threats on its Center for Development of Security Excellence site.
Not only is it a government concern, but academia and private industry also recognize this as a significant threat. Carnegie Mellon University has published are “Common Sense Guide to Mitigating Insider Threats” and even Forbes has recently chimed-in on what they believe how significant insider threats will be in the future.
What can be done?
Fortunately, there are several mitigating measures an organization can implement to help protect themselves against insider threats. These are several steps that can cost your organization virtually nothing:
- First, develop an insider policy that is robust, easy to follow, and applies to everyone. The policy should address how employees are expected to protect your assets and should establish a standard that all personnel are expected to adhere to.
- Provide training on the acceptable use of information and computers within your organization and retrain at least annually. This should include local policy as well as safe use of the internet and email as well as how to recognize social engineering.
- Limit access to information. The least privileged user concept is a fundamental measure in cybersecurity. Essentially, people should only have access to the least amount of information absolutely necessary to do their job.
- Administrative accounts are for administrating only. Normal user accounts should be restricted from having the ability to install software or modify their systems. Normal, non-administrative work should not be allowed to be conducted using accounts with administrative access.
- Control access, especially remote access, to your network. Don’t allow personal electronics to connect to your company network.
- Restrict access to social media, either through policy or through technical means like a web proxy and monitor activity related to your organization.
- Enforce mandatory patching and anti-virus updates. Remove out-of-date systems from your network until they can be remediated.
While not an all-inclusive list, the suggestions above can go a long distance towards protecting an organization from insider threats. For another take on what to do, Carnegie Mellon University has published its list of “Insider Threat Best Practices“. Truth is, there are several guides and sets of standards for addressing insider threats. Which your organization choses to follow is up to you, but it is essential that careful consideration be taken on what controls and protective measures will best address this threat within your organization.
For a technological solution, there is a family of products, produced by trusted companies like McAfee and Symantec, directly related to guarding against insider threats. These products are often software suites that collectively protect against unauthorized access to information and against malware. Data Loss Prevention, or DLP, comes in various forms and can be expensive for a small company with a tight budget. For those who can afford it, DLP provides a high degree of control over the flow of and access to data as well as tools that can assist in the investigation of data loss incidents. Common features include control over where internal files and data can be transferred, control over the use of external storage media, auditing of the flow of information, email encryption, encrypted remote access for portable devices, and forensic analysis tools.