Managing Insider Risk

Managing Insider Risk

January 10, 2019 Business Insurance and Risk Management, The Beacon Blog 0 Comments

Although organizations may believe their major risks, whether physical loss or data breach, originate from the outside, they cannot ignore the possibility of insider risk. A recent example is how Edward Snowden was able to steal data from within the highly secure National Security Agency.

As described by freelance security consultant Darrell Drystek, insider risk has existed throughout human history. To a greater or lesser degree, people in an organization need to be trusted, and sometimes – accidentally or deliberately – they betray their trust.

A good example of unintended insider risk is the employee who opens an email attachment or clicks on a link that exposes the organization to a major data breach. While not all errors or accidents can be prevented, steps can be taken to reduce the risk. If security is inadequate, remedial measures include:

  • Updated security policies.
  • Better training in data handling practices and procedures.
  • Better data classification.
  • Limiting employee access rights to job requirements.

If proper procedures are in place but not followed, employees need to be retrained and/or disciplined.

Willful and malicious insiders targets are usually funds or information. Theft of funds is easier to address, by accounting controls and insurance for loss. (Employee theft is often uninsured or underinsured. My rule of thumb: how much could your most trusted employee steal, and how long would it take to discover the theft?) Theft or destruction of information is a bigger problem. Perpetrators may be disgruntled employees or activists with an agenda. Controls should be in place to reduce or mitigate risk:

  • Background checks for new hires or contractors.
  • Policy statements on use of and access to data.
  • Signed agreements to comply with organization policy.
  • Access restricted on “need to know” basis.
  • If possible, have alerts when someone logs onto sensitive data.
  • Require timely explanation of any exception to or deviation from approved procedures.
  • Random audits of people and processes.
  • Regular review of control strategy.    

About the Author

Harry Cylinder

Harry Cylinder, CPCU, ARM has spent nearly fifty years in the insurance industry, the majority of the time as a consultant. He has been employed by The Beacon Group of Companies since 2008, specializing in the review and analysis of property and casualty coverage forms. Mr. Cylinder has been reviewing policy forms as they have evolved over the past decades. In 2008 he published an article in the CPCU Journal which was the first description of cyber insurance coverage for a general insurance audience. Since that time he has regularly written on cyber and other topics for The Beacon Companies’ blog.