Combating the insider threat: reducing security risks from malicious and negligent employees

The following is part of a series of instalments providing concise summaries of selected chapters from the New York Stock Exchange’s definitive cybersecurity guide, Navigating the Digital Age.

This blog summarizes ‘Combating the insider threat: reducing security risks from malicious and negligent employees’ by Littler Mendelson P.C. – Philip L. Gordon, Esq., Co-Chair, Privacy and Background Checks Practice Group. Please refer to the original article for any direct quotations.

Various findings confirm that the insider threat is still one of the biggest causes of security breaches:

  • Current employees were found to be the biggest cause of security incidents – ahead of hackers, contractors and organised crime.¹
  • 89% of global respondents believe their companies are more at risk than ever from the insider threat.²
  • 55% of respondents believe employees are the number one internal threat.²
  • Negligent and malicious insiders were the cause of 61% of security breaches experienced by respondents.³

But employers can take a wide range of relatively low-cost steps to reduce the risk of such insider threats:

  1. Pre-employment screening and post-hire risk alerts

The internal threat can be reduced by identifying applicants who pose a threat to the employer’s information assets. This can be done by effective background screening. Most employers do not conduct background checks after completing the job application process, but several service providers now offer ‘risk alerts’, either to employers or the employer’s background check vendor. Moreover, employers may consider using such ‘continuous monitoring’ services to help identify employees who become security risks over time.

  1. Employee-oriented safeguards for sensitive corporate data

Despite employers implementing thorough background screening checks, employees can still pose a security threat. The following basic precautions can be taken to mitigate these risks.

A. Safeguarding electronic data

  • Improved access control

Employers should restrict access to sensitive information to certain employees.

  • Protecting login credentials

Employees should be regularly reminded of the importance of protecting their login credentials.

  • Screen security

Employees should be reminded to position their monitor to reduce the risk of viewing by unauthorized individuals.

  • Mobile device security

The loss or theft of employees’ mobile devices is one of the most commonly cited causes of data breaches. Security controls should be applied to all mobile devices used for work purposes, whether the device is employer-issued or owned by the employee. Controls include encryption, password protection, automatic logout after a short period of inactivity, automatic logout after a small number of unsuccessful login attempts, and remote wipe capability.

  • Remote work security

Employees should be required to use a secure/encrypted connection, such as a virtual private network (VPN), to access the corporate network when working remotely. This avoids the risk of unsecured Wi-Fi connections.

  • No storage in personal online accounts

Employers should enforce a policy that prohibits the storage of the organization’s sensitive data in a personal online account because of the lack of control that can be exercised over data when stored in a personal Cloud storage facility.

B. Safeguarding sensitive data in paper and oral form

  • Clean desk policy/secure storage

Employees should be reminded to secure paper documents containing sensitive data in designated locked areas.

  • Beware of printers, scanners, and fax machines

Office equipment in unrestricted areas (such as printers) can expose sensitive data to unauthorized viewers. Controls should be implemented to reduce the likelihood of this occurring.

  • Avoid off-site use of paper documents

Employees should be restricted from removing sensitive paper-based information from office premises. Employers should enable employees to access this information via a secure remote connection.

  • Require secure disposal of paper documents

Policies should be implemented enforcing employees to shred paper documents containing sensitive data or to discard them in secure disposal bins.

  • Private conversations are meant for private places

Employees should be made aware that they should not discuss sensitive information over the phone where unauthorized individuals can overhear them.

  1. Employee monitoring

Employers concerned about the insider threat should consider investing in monitoring software or installing data loss prevention (DLP) software on their networks. Owing to various legislative restrictions, employers should conduct a thorough legal review before implementing new monitoring technology.

  1. Confidentiality agreements, employee training, and exit interviews

Cisco’s 2012 Annual Security Report highlights that that “71% of Generation Y“ respondents “do not obey policies” set by corporate IT. Similarly, Absolute Software’s 2015 U.S. Mobile

Device Security Report found that “25% of Millennials” admitted to compromising their organization’s IT security, compared with 5% of Baby Boomers.

Three methods for reminding employees of their information security responsibilities are recommended:

  • All new hires whose responsibilities will include access to sensitive data should sign a confidentiality agreement.
  • Employee staff awareness training is critical.
  • Employers should consider modifying their exit interview process to specifically address information security.
  1. HR and in-house employment counsel need a seat at the ‘information security table’

HR professionals and in-house employment counsel can play a critical role in enhancing an organization’s information security owing to their involvement in pre-employment screening, disciplinary actions, training, sensitive employee data, etc. By making human resources professionals and in-house employment counsel valued members of the organization’s information security team, organizations can significantly enhance the effectiveness of their overall information security program.Staff-Awareness-banner

¹ PwC’s Global State of Information Security 2015

² The Vormetric Insider Threat Report 2015

³ Ponemon Institute “Post-Breach Boom” study 2013