Managing Insider Risk
Although organizations may believe their major risks, whether physical loss or data breach, originate from the outside, they cannot ignore the possibility of insider risk. A recent example is how Edward Snowden was able to steal data from within the highly secure National Security Agency.
As described by freelance security consultant Darrell Drystek, insider risk has existed throughout human history. To a greater or lesser degree, people in an organization need to be trusted, and sometimes – accidentally or deliberately – they betray their trust.
A good example of unintended insider risk is the employee who opens an email attachment or clicks on a link that exposes the organization to a major data breach. While not all errors or accidents can be prevented, steps can be taken to reduce the risk. If security is inadequate, remedial measures include:
- Updated security policies.
- Better training in data handling practices and procedures.
- Better data classification.
- Limiting employee access rights to job requirements.
If proper procedures are in place but not followed, employees need to be retrained and/or disciplined.
Willful and malicious insiders targets are usually funds or information. Theft of funds is easier to address, by accounting controls and insurance for loss. (Employee theft is often uninsured or underinsured. My rule of thumb: how much could your most trusted employee steal, and how long would it take to discover the theft?) Theft or destruction of information is a bigger problem. Perpetrators may be disgruntled employees or activists with an agenda. Controls should be in place to reduce or mitigate risk:
- Background checks for new hires or contractors.
- Policy statements on use of and access to data.
- Signed agreements to comply with organization policy.
- Access restricted on “need to know” basis.
- If possible, have alerts when someone logs onto sensitive data.
- Require timely explanation of any exception to or deviation from approved procedures.
- Random audits of people and processes.
- Regular review of control strategy.