Compliance officers can take solace from outsider threats trying to steal your data: they’re on the outside, and you know they don’t belong. All you have to do to protect yourself is keep them out.
That’s more than you can say for the truly menacing threats to your data, who tend to march into your offices every day, sit down at their desks, and get to work. They are insider threats, and even when your insiders mean no harm to the company (and the vast majority never do) they are a huge risk.
How pervasive are insider threats to Corporate America these days? Plenty. According to Verizon’s 2016 Data Breach Investigations Report, cyber-attackers have made a sharp turn in their focus, away from IT networks and computer servers and toward people—specifically your employees, who can then be duped into sending valuable data back to the hackers. Phishing attacks have more than doubled as a percentage of all data breaches, from 9 percent in 2009 to more than 20 percent in 2015.
Meanwhile, companies still have “traditional” insider threats, too, such as employees who deliberately steal data or wreak havoc on IT systems. Verizon actually tracked more of these threats than phishing in 2015 (10,500 to 9,600).
Compliance officers need to prepare for both types of insider threats, and training is one obvious answer. But as you deconstruct the nature of insider threats, developing the right type of training is no easy feat. According to one recent study of insider threats by the Ponemon Institute, only half of more than 650 respondents agreed that their training was adequate to the task.
Take phishing as an example. One current scam is for hackers to mimic a CEO’s e-mail address and send a request to an employee (typically in the personnel department) asking that person to reply with a spreadsheet of everyone’s payroll data: home address, date of birth, and so forth. This is a huge data risk, but think about how a company might thwart it. You can’t block that employee from using e-mail. Technical measures might work, but not if you still have a potential breach. The best preventative measure is to ensure that the employee never falls for the phishing attack in the first place.
If you want employees to spot and question unusual behavior, the company needs to know what usual behavior looks like—and too often, organizations don’t know those patterns.
Put that idea into specific context, however, and it reads like this: The best preventative measure is to train the employee to ask, “Should I really send the CEO payroll data?”
Suddenly the idea of more training becomes much more difficult to deliver. To combat insider threats effectively, you must shift your focus from training employees not to do something, to making smarter judgments.
That’s a big ask for any workforce. In the real world, employees are often scared to question senior executives. Or they’re too busy. Or they don’t care, or—most likely—they don’t know what an abnormal request looks like. Without that knowledge, they can’t make smarter judgments at all. (By the way, according to Verizon, 13 percent of all phishing attacks in 2015 were successful.)
Compliance officers need to consider two points about effective training against insider threats. First, if you want employees to spot and question unusual behavior, the company needs to know what usual behavior looks like—and too often, organizations don’t know those patterns. They don’t help employees to understand what data is most important, or when data becomes important depending on who’s asking for it.
ABOUT THE AUTHORS
Mark Dorosz and Jennifer Benson are consultants for New York, NY-based Interactive Services.
Interactive Services is a developer of custom eLearning and blended learning solutions for global Fortune 500 companies across multiple industries: financial services, retail, healthcare, technology, and more.
The company develops performance-based training programs for different areas of your business including compliance, onboarding, sales, and product launches among others.
Second, successful training against insider threats touches closely on a speak-up culture. Compliance officers tend to equate a speak-up culture with calling out potential misconduct, and certainly that’s important. But just as important is the idea that a speak-up culture lets employees question things they don’t understand—and that’s crucial to prevent insider threats. Many requests from a senior executive or fellow coworker will be legitimate, even if an employee doesn’t understand why. Success hinges on an employee simply having the presence of mind to ask.
Deliberate insider threats are quite different from phishing and other “social engineering” attacks. The offending employee is likely to collude with an outside party. Compliance and IT security executives must worry about access controls to sensitive data as much as you worry about training.
Still, training is crucial here, too. One significant component to malicious insider threats is a failure to block access to data a person doesn’t need. So go through the checklist: Do we restrict access to unnecessary data? Do we have a process for people to seek exceptions? Who grants the exceptions? Does that person know how to make sound judgments on them? Sometimes good training just gets employees to go through the proper steps.
Fundamentally, however, malicious insiders are stopped by good insiders who want to protect the company. So yet again we’re back to the importance of encouraging a strong speak-up culture, and teaching employees to care about doing the right thing.
As the Ponemon Institute’s survey on insider threats put it: “Apply the carrot and stick approach to reducing the insider risk. Provide employees with incentives to report security issues and safeguard confidential and sensitive information.” That is all true, and it is all identical to what compliance officers have tried to do with anti-corruption programs as well.
That’s the future of fighting insider threats for data security, because the threats will only get more clever and elusive from here. Firewalls will take you only so far; the human element will take you as far as you can lead them.