Left to chance, unless you happen to bump into someone leaving the building with a box full of documents, you might never catch an insider red-handed. That is where an insider risk team comes in — group of employees from various departments who have created policies that create a system to notice if those confidential items have left the building.
“Insider risk is a real cybersecurity challenge. When a security professional or executive gets that call that there’s suspicious activity — and it looks like it’s someone on the inside who turned rogue — the organization needs to have the right policies and playbooks, technologies, and right team ready to go,” said Rinki Sethi, senior director of information security at Palo Alto Networks.
Steve Mancini, senior director of information security at Cylance, takes the disgruntled employee's point of view, indicating that they need to be provided outlets and recourse for their grievances before miscreant actions occur. “Fellow employees and managers need to be trained to spot the signs of disgruntled employees and given channels to report concerns in a manner that does not judge the potentially disgruntled employee, but instead put the right people in their path to help them resolve whatever grievance they have before it escalates.”
But not all companies are that advanced in spotting what an angry employee might do in retaliation. Policies would cover those obvious situations of an employee making an inordinate amount of photocopies or an alert that notices a USB drive is being plugged into a computer, but it gets tricky dealing with those scenarios that are not out in the open for all to see. It is the insider risk team that must come up with every hypothetical scenario in order to stay ahead of that disgruntled employee who only wants to fulfill a vendetta.
“Insider risk tends to happen less frequently than external threats, but the negative impact can be tenfold. Having the right insider risk team with risk management expertise is a must to assess the situation, pinpoint the culprit and execute your counterattack plan,” Sethi said.
Who should be on this team?
Many security experts made it clear that watching for signs of an insider threat is everyone’s responsibility. But in terms of the team’s makeup, it should be representative of the entire company.
The team should include the technical IT and Security teams, as well as non-technical stakeholders such as members of the C-suite, the legal counsel and human resources, said Veriato’s CSO David Green.
“The latter three will likely be unfamiliar with the fact that traditional security solutions don’t always work to prevent insider threats because, first, they are largely focused on perimeter security, and, second, they aren’t intended to identify or prevent problems stemming from insiders who are authorized to access sensitive data or systems,” he said. “But these departments should come together to discuss the various challenges associated with insider threats and establish policies and procedures to prevent and detect them while protecting employee privacy.”
Sign up for CIO Asia eNewsletters.