Combating Insider Threats in Your Business

Although the bulk of our work comes intellectual-property-theftfrom attorneys, and businesses we’ve worked with numerous times over the years, we obviously still get new clients that either come our way via referral or from locating us online.  Regardless, a pretty common denominator with our new clients is that they were blindsided by the theft of their company’s private information and only realized it after the proverbial horse had left the barn.  Sure, we assist those that are not prepared when someone steals their intellectual property, but I feel we’d be remiss if we didn’t try to help them get in front of such a scenario going forward if it were to happen again, and barring any internal change, it likely will.  I speak on this to groups all the time, largely about how we’ve all been trying for so long to strengthen the walls to prevent the bad guys from getting in that we fail to recognize the weakness inherent with those that are already within the walls.  The so-called insider threats.  I say “so called” because while that is indeed an apt description, I hesitate to use the phrase without some sort of qualifiers or further discussion. To that end, there are different types.  In short, there’s the malicious (intentional stealing of data) which is what we mostly assist with, the accidental (whoops I lost my laptop), and the negligent (I know I should be more careful but oh well).  I tell folks that the first step in helping to mitigate this wrongdoing (intentionally or accidental) is in creating a culture where people first understand the value of the data they interact with and second have a clear understanding of what is right and wrong when it comes to what is done with a company’s trade secrets.  One of the findings of the recent Defending Against the Wrong Enemy: 2017 SANS Insider Threat Survey is that Despite recognition of insiders as a common and vulnerable point of attack, fewer than 20% of respondents reported having a formal incident response plan that deals with insider threat.”

insider-attack-threatSo while more organizations are starting to understand the importance of exploring the soft underbelly of their business when it comes to exposure, they don’t know what to do with it.  What’s more, 62% of the respondents said they had not experienced an insider attack, yet 38% admitted that their detection and prevention capabilities were not effective! This alarming fact makes it’s clear that a much higher number of insider attacks/exposures have occurred and gone blindly undetected.

So let’s get back to what you can do to protect your company’s assets. The first step is creating awareness within the workplace and reinforcing it through education and reminders.  This can start with something as Data-theft-awarenesssimple as posters helping folks understand the importance of the information they are working with or have access to.  Sometimes it’s a simple matter of them not knowing the value of the information they have.  Other times it’s a clear understanding that the information they work on is not owned by them, instead they are compensated to work with and retain no ownership.  This last point comes into play frequently when dealing with sales staff and product developers or folks that have been there long enough to work their way up the ladder and feel something more is owed to them.  Clear policies at their onboarding are crucial to help avoid misunderstandings, define clear boundaries and make known the consequences that will be enforced should they choose to violate those policies.  Another great idea depending on your environment is either a data security awareness newsletter or at least including a section in an ongoing newsletter that is devoted to awareness, reinforcing both the “you don’t own the data” aspect as well as general awareness to help minimize inadvertent leakage.  Another valuable tool a company can implement is having an acceptance policy displayed when an employee is accessing sensitive materials requiring them to check the box agreeing to certain terms of use.  All the things I’ve insider-threat-investigatementioned are very doable even for the smallest of businesses.  From there you can work your way up to phishing exercises to help mitigate outside forces (known or unknown) while ingraining the importance of protecting the company’s assets within them.  At the end of the day you’ve greatly increased the awareness and duty to protect and made them more culpable in the event they decide to take what doesn’t belong to them.  What you’re hoping to accomplish is the building of a work environment where people understand the value of the information they’re using, they’re proactive about protecting it and they encourage each other to do the same. In addition you’re simultaneously sending the message that the release of sensitive data is strongly discouraged by all parties, intentional or not.  This will help foster a culture of integrity and respect, for the company, for each other and for the data they are obligated to protect.


Share this: