“If the only tool you have is a hammer, then every problem looks like a nail!”
– Abraham Maslow
Insider threat is not always at the forefront of focus in many organisations.
There is always a consistent flow of news about companies getting attacked from the outside.
However, insider incidents do not usually get reported unless privacy law-regulated data is impacted.
The perception that “it won’t happen to us” is a common stance for leaders that don’t yet know they have faced an insider issue.
Insider threats are an intriguing and complex challenge. Some assert that it is the most significant threat facing the organisation today.
Unfortunately, insider threats cannot be mitigated solely through technology solutions.
There is no “silver bullet” for stopping insider threat.
We need to remember that insiders go to work every day and bypass digital and physical security measures.
They have legitimate and authorised access to your most confidential, valuable and sensitive information and other assets.
You have to trust them. It is not practical to watch each of your employees every move.
What threats do insider pose to organisation assets?
Let’s look at the types of insider threats that can negatively affect the organisation.
Here are two examples
The CFO’s Role
Most CFOs understand that they need to play an active role in cybersecurity and insider threat management.
Still, many lack a complete understanding of the threats they face and the strategy to mitigate those threats effectively.
CFOs are called to adopt a dual role as they take the lead in navigating their organisation’s digital transformation journey.
They are not only at the forefront of driving strategic performance but are concerned with managing financial risk.
The role of the CFO is to oversee and manage some of the most critically sensitive and increasingly sought-after assets held within the organisation.
In short, CFOs are tasked with providing leadership and oversight, but they also create focus and define priorities.
Not only can they keep security a top concern in the C-suite, but their interaction with every department within an organisation puts them in a unique position to help ensure compliance efforts and deploy the necessary controls to defend the business against internal, external attacks.
The Cost Of An Insider Incident
The 2020 Cost of Insider Threats Global Report study from Ponemon Institute reveals a worrying trend in the rise of insider threats that could cripple organisations’ infrastructures.
In just two years, the number of insider threats has increased 47%, from 3,200 in 2018 to 4,716 in 2020. At the same time, the cost of these incidents has surged 31%, from $8.76 million in 2018 to $11.45 million in 2020.
To understand the full potential impact on your organisation, I have listed six types of implications that may bear against your organisation.
It is rare only to suffer one of these types of impact. You will often find that sustaining any one type of breach will result in additional cumulative implications.
Your organisation sensitive HR data, including their full name, home address, and even their salary, was identified on the news as being exfiltrated and available for sale on the Dark web.
A privacy breach of such magnitude causes your employees to be nervous, anxious, and fearful of possibly being targeted for identity crime. Morale is down, and with uncertainty, several key staff leave the organisation, causing personal impact and loss of productivity. Some staff who are significantly hurt seek legal compensation, causing legal impact.
In the meantime, forensic experts are hired to investigate the cause of the data exfiltration. New hardware and software are procured to bolster the weak defences causing operational impact.
At the same time, the reputation of your organisation takes a hit. Shareholder’s panic, and in a frenzy, share price plummets, causing a financial impact.
While the reputation of the organisation has been battered, three key clients cancel their existing contracts fearing that their data is not safe anymore, causing further reputation damage and financial challenges.
Regardless of which types of impact a breach has occurred on your organisation, one thing is for sure - It will cost your organisation financially.
Every time your organisation deviates from its strategy and dives into tactical measures to recover from a breach, it costs your organisation time and money.
A Balancing Act
Insider threats represent a significant risk for organisations and potential attack vectors for malicious insiders and external adversaries.
Insiders have a significant advantage over external attackers. Not only they are aware of the organisation policies, procedures and technology, but they are also often aware of the vulnerabilities.
Insider incidents are inevitable, and at some point, your organisation is likely to be compromised.
While this is unfortunate, it is a reality that must be proactively prepared for if your organisation is to withstand such threats.
Remember, there is no silver bullet in preventing insider threats. Having too many security restrictions can impede an organisation mission, and having too few may permit a security breach.
As a CFO, what you can do is understand the stakes of this challenge. Take an active role in its management, and if needed, seek counsel and expertise to augment your understanding.
Five Ways CFO’s Can Help Protect Their Organisation From Insider Threats
An organisation can significantly reduce its exposure to the problem by building an effective insider risk program and preventing the most damaging insider attacks.
The program must implement a strategy with the right combination of policies, procedures, and technical security controls.
Management from all areas of the organisation, especially at the executive levels (legal, financial, human resource, physical, information technology, information security), must appreciate the scale of the problem and work together to enhance its ability to deter, detect, prevent, disrupt and respond to insider threats.
Most organisations find it impractical to implement 100% protection from every threat to every organisation asset.
Instead, consider expanding security efforts commensurately with the criticality of the information or other asset being protected.
A realistic and achievable security goal is to protect assets deemed critical to the organisation mission from both external and internal threats.
The boundary of the organisation enterprise needs to be drawn broadly enough to include all those that have a privileged understanding of and access to organisation systems and information.
Many organisations focus on protecting their assets from external parties but overlook insiders. CFO’s must recognise the potential danger posed by the knowledge and access of their insiders, and it needs to be included as part of the enterprise risk governance.
Traditional security practices focus on “negative” incentives that attempt to force compliance through constraints, monitoring and punishment.
Yet, insider’s goodwill is essential to both minimising intentional and unintentional insider threats and ensuring organizational success.
Positive incentives can complement traditional practices by encouraging insiders to act in the interest of the organisation.
Instead of just solely focusing on making sure employees don’t misbehave, positive incentives create a work environment where employees are internally driven to contribute to their organisation only in positive ways.
Management must understand the psychology of their workforce and the demands placed upon them by leadership.
Human behaviour offers many situations for mistakes to be made, especially by those rushing to complete multiple tasks in high-stress environments.
High levels of stress in the workplace will drive ill will and greater potential for malicious activity.
The push for productivity comes at the cost of both efficiency and security. When people are pushed, they will make more mistakes, feel as if their concerns are not being considered and potentially develop a negative attitude towards management and the organisation.
To reduce the likelihood of malicious and unintentional insider threats, organisation leaders should focus less on top-line productivity and more on achieving productive outcomes and mission-oriented objectives.
We tend to think that human behaviour is pretty simple. Even in the most controlled circumstances, identifying how someone will behave in the future is impossible.
Someone who may appear trustworthy may encounter unforeseen life circumstances that may overwhelmingly increase the level of risk. And more importantly, we cannot expect that every person will respond in the same way.
Whether to trust or not to trust, verification is essential.
We conduct background checks on potential employees before hiring them and deciding if we trust them. However, research has shown that insider threat fraud often does not start until after an employee has worked for the company for at least five years.
You must have processes in place to continually re-evaluate that initial judgement of trust.
Are you experiencing an insider threat situation right now and not sure how to address it?
Are you interested in standing up an insider threat program?
If so, here is simple two-step process for you to follow: