Insider threats concern many companies today. They must adhere to data privacy requirements when it comes to mitigation measures related to malicious and inadvertent threats. Competing legal requirements along with compliance issues play a role in how a business may go about mitigating risks related to insider threats, which presents a challenge for many. What do companies need to know when it comes to this major risk?
What Are Insider Threats?
Organizations recognize they must protect their assets from attacks by outsiders. However, they cannot ignore those threats that arise within their ranks, as sadly these do happen more than many people realize. Malicious attacks, negligent employees, contractors, and more can do significant damage to a business before anyone realizes the business has been attacked. When they become aware of the attack, they then turn to an austin business attorney for help.
According to researchers, many companies don’t learn about the data breach until months or years after the attack occurred. In addition, data breaches driven by negligence typically result in the most total cost every year. Credential theft, however, remains the costliest to handle per unit, according to the 2018 Verizon Insider Threat Report. These costs cover a range of areas. This includes the management process associated with the data breach, which includes containing the breach, responding to the incident, and restoring any affected assets to their prior value.
The company invests money to operate and maintain surveillance and monitoring tools along with IT systems and must conduct an internal investigation to determine the source of the breach. Furthermore, companies find they must pay legal fees when rectifying the damage that has been done.
Companies typically find they also have indirect costs associated with the insider attack. Often, they suffer from a loss of reputation or intellectual property. Clients leave a business following a data breach, and the disruption of normal operations remains a concern. Furthermore, workforce fluctuation is associated with a data breach and can harm the company and increase the costs associated with the breach.
Is User Monitoring the Solution?
A company must address risk management with relation to insider threats on multiple levels. This includes the processes and technology domains as well as in human resources. Controls related to human relations play a large role, as this department oversees background checks and the vetting of candidates. Furthermore, it takes on the responsibility of executing nondisclosure agreements, such as when hiring employees, and oversees the need-to-know requirements of various job descriptions.
Segregation of duties, mandatory leaves, and the enforcement of need-to-know principles serve as three examples of these processes. Technology becomes of great benefit in human relations and process control effectiveness. Gartner reports there are three means of insider threat detection technology that offer advanced capabilities. Companies must consider investing in employee monitoring products that are endpoint-based, protection and audit solutions that revolve around data, and analytics products for both entity and stand-alone user behavior.
UEBA or best user and entity behavior analytics products use a person’s regular behavior to identify anomalies. In contrast, employee monitoring tools that are endpoint-based provide the company with the maximum amount of details and even offer a video record of the user’s activities. Many companies find this of great help. A third solution comes in the form of DCAP solutions, and many companies prefer this option as it provides activity monitoring in real-time.
As these solutions continue to improve, users will find they provide more comprehensive surveillance. Furthermore, experts believe they will soon include machine learning along with an AI system to determine the intent of the user. These features will distinguish between negligence and maliciousness.
Managing risks with regard to insider threats remains a challenge for businesses. Substantial organizational effort remains a requirement when it comes to managing these risks, and current best practices must be used. The following summarizes the practices concerning implementing HR, technology, and process controls.
Companies often vet potential employees and conduct background checks. However, they must remain within the limits established by the jurisdiction in which the business operates. If the company conducts a broad background screening, it may find itself facing a discrimination lawsuit. Furthermore, data quality issues become of concern when third parties and other unverified sources provide information as part of the vetting and background check process. Under the EU General Data Protection Regulation terms, companies might find they are unable to do an internet search on an applicant, to record information from their social networks, or to gather information from educational institutes or third parties concerning the credentials of this individual.
Many job contacts today come with a nondisclosure agreement. In certain cases, a company might require the person to sign this agreement when applying due to the sensitive nature of the job. Companies must train those in charge of interviews to ensure they don’t share confidential information at any time in the application process.
Every company must make data protection and cybersecurity awareness training an ongoing process, and this training must address how to manage privacy-related risks. For example, it needs to cover how to identify and report any IT security and data events. Many businesses carry out this training as part of the onboarding process but never follow up. To reduce the risk of insider threats, it should be carried out at regular intervals and recorded for accountability purposes. Depending on an employee’s position within the company, additional training might be needed. For example, those in customer service may need a specific type of training while individuals working in accounting require another type.
Employees come and go. When a person decides to leave the organization, any access they have to company information and systems must be completely revoked promptly. This includes access to non-centralized legacy systems. Companies should carry these same steps out when a person is taking an extended leave of absence, such as maternity leave, or when a person changes departments within the organization or their job responsibilities are modified.
Monitoring and Permitted Use
Every company needs to establish internal policies regarding the use of company devices, equipment, and information assets. All policies must be easy to understand and follow. Furthermore, they need to comply with any data protection requirements in place concerning device monitoring.
Local jurisdictions may put into place regulations regarding the restriction or exclusion of intercepting employee communications. They also retain the right to supply employees with confidentiality protection. Companies must put into place an acceptable use policy that limits the way a person may use company devices, networks, and systems and establish uniform guidelines for all employees to follow.
To drastically restrict privacy expectations, companies have the right to exclude the private use of business assets by employees. Companies have an interest in monitoring how employees use company assets and in their access to information assets belonging to the business. However, monitoring the assets might result in a conflict, as doing so could infringe on the employee’s rights and freedoms.
To avoid issues, companies must proportionately use monitoring technology and measures to avoid infringing on these rights. Furthermore, the company needs to determine which jobs would require real-time monitoring and the recording of activities to ensure the measures in place remain proportionate. When the company shares data privacy notices, the notices must outline the monitoring and surveillance practices used and how the company works to effectively enforce the privacy rights of the employees. Companies must also determine how to handle the use of personal devices for work purposes, as the use of these devices comes with challenges.
Any personal data breach must be reported to the proper authorities within 72 hours of learning of this breach. Employees need to know how to identify data breach events and how to report any breach. If they cannot, the company won’t be able to demonstrate they acted promptly after discovering the breach. Therefore, they cannot show they remained in compliance with the reporting requirements for data breaches.
A business must demonstrate they have processes in place to enforce any breach of the privacy obligations. Any deliberate breach will lead to disciplinary processes and legal measures permitted by the jurisdiction.
To remain in compliance with the GDPR’s accountability requirement, companies must address their privacy-compliant measures and show the effectiveness of these processes. These measures increase employee awareness in the areas of critical information and responsibilities. Furthermore, by documenting and continually improving the processes, companies find they reduce their risk of insider threats. Nevertheless, privacy must be maintained at all times, which can be a challenge. The business must find ways to overcome these challenges to thrive while keeping insider threats at bay.