One of the biggest mistakes that an organization can make is assuming that the insider threat problem doesn't apply...
to them. Various surveys and studies show that insiders may be responsible for around 30% of all cybercrime.
In the three previous articles in this series, insider threats were discussed in terms of information technology sabotage, theft of intellectual property and fraud. In this article, we will present insider threat protection strategies that organizations can use to address sabotage, theft and fraud committed by insiders.
Pre-employment background checks
The hiring process is the first place where an organization can reduce the risk of insider threat behavior.
Background checks should include checks for criminal history, cases of resume inflation, fraudulent claims of education and professional licenses or credentials, as well as discussions with previous employers about the prospective employee's competence and ability to deal with workplace issues, including problems with co-workers. Validating the background of a prospective employee may also shield the employer from certain kinds of liability.
When deciding to conduct pre-hire background checks, there are a few things to keep in mind. Consider outsourcing the background checks to a law firm or private investigation firm. They can make sure that you follow all the appropriate laws regarding confidentiality and requirements to notify the prospective employee. Hiring an outside firm to conduct background checks also makes the check subject to the Fair Credit Reporting Act, which is designed to protect the job applicant, especially if a decision not to hire is made as a result of the information uncovered by a background check.
Also, companies should understand that a decision to conduct pre-employment background checks means that pre-employment screening must be done for all job applicants, regardless of the position. To conduct pre-employment checks on some prospective employees but not others could be considered discriminatory or illegal.
Some employers don't conduct background checks until after an offer of employment is accepted. This can reduce the number of background checks they need to conduct and can reduce spending on background checks. However, an employer who does this must make potential hires aware that their employment offer is contingent upon the results of a background check that is done in a reasonable period of time.
A well-thought-out policy on conducting pre-employment background checks is critical. You must decide what checks to perform, such as criminal history, employment and academic history, personal references, credit checks, driving records, and judgments and liens.
Additionally, consider defining exactly which adverse findings would disqualify someone from employment. Having this defined in advance can help companies prevent discriminatory decisions and ensure all prospective employees are treated the same way.
There are a few types of risk assessments that can help with insider threat protection.
The risky insider: Organizations should identify their critical business processes and information assets, intellectual property, and information vulnerable to fraud. These are assets at risk. Then, they should identify users who have access to these assets. This is a list of risky insiders. Finally, companies must validate that all these insiders really need access to these critical assets and the conditions under which they require access.
Identify people as single points of failure. Does a critical business process require the approval of a certain individual? What oversight should exist to make sure that business processes are not subverted by a risky insider? Do policies and procedures regarding least privilege, separation of duties, two-person integrity and other access control issues need to be written or updated?
Insider vulnerability assessment: An insider threat vulnerability assessment looks for organizational, behavioral and technical vulnerabilities that an insider could use to harm an organization's critical assets. For almost 20 years, the CERT Insider Threat Center has amassed hundreds of organizational, behavioral and technical indicators of insider threats.
Logging and monitoring network activity is something that network administrators should be doing to bolster insider threat protection. There are a variety of tools available to baseline and monitor network activity, network data flow and user activity. For example, you can set security policies for when and from where employees can log onto the network and then monitor and respond to alerts when these policies are violated.
For example, the U.S. Department of Defense uses a program called the Personnel Reliability Program that evaluates military personnel in order to grant them access to nuclear weapons. It is a security, psychological, and medical evaluation and monitoring program that ensures only the most trustworthy people have access to nuclear, chemical and biological weapons and the related information and technology.
Organizations want only the most trustworthy employees to have access to company intellectual property and other assets that differentiate them in the marketplace. Risky insiders can be identified earlier using techniques such as periodic background checks and increased monitoring.
In addition to insider threat protection policies, organizations should have policies on employee security responsibilities and boundaries that are clearly communicated and enforced. Uneven enforcement of policies can be seen as preferential treatment, which can lead to employee resentment and disgruntlement. Unmet expectations with respect to fair and equitable treatment could lead to harmful acts by insiders.
Companies must have clear policies regarding employee behavior that clearly define expectations, including those related to employees reporting insider activities, as well as processes and procedures for reporting those behaviors.
Understand and document what the organization's most critical IT assets are. Review access policies and roles to make sure that only those employees who require access to critical information have those rights. You should also involve employees in the process and communicate how limiting access protects the organization and its employees.
In addition, look for signs that this access review and change is a precipitating event for insiders who already feel that their expectations are not being met. An access review may expose insiders who are already doing damage to the organization. Be prepared to deal with that.
Do not ignore behavioral precursors to information technology sabotage. All too often, such insider threat behaviors are seen by co-workers and supervisors but are not reported. This lack of response is often the result of inexperience, a lack of understanding of how to deal with these behaviors or not wanting to get involved, but it is also a missed opportunity to help an employee before they decide to strike out at an organization.