Mitigating insider threats without breaking the cycle of trust
An “Insider” is a person within the boundaries of a company that has access to company systems and resources. They could be an employee, a contractor, a vendor or even a customer to whom you have given access to your network or systems.
Attacks or breaches that are traced back to an Insider could well be malicious, or they could be entirely accidental. An employee may be feeling deeply dissatisfied or unappreciated, they could be manipulated or forced into giving up sensitive information, or perhaps they have been enticed to help criminals gain access to a system with a financial reward. The Coronavirus pandemic has brought financial hardships to many people, leaving them vulnerable and susceptible to accepting bribes in exchange for Intellectual Property.
Likewise, human error can (and does) account for many breaches within an organisation. A confidential email sent to the wrong person or a victim of a social engineering campaign that results in a malware infection could all stem from an insider. The move to home working has led to many employees being isolated and has removed an element of peer support.
Heightened awareness of data protection and cyber security has led to companies improving the controls they implement on their network , therefore improving their defences and resilience to attack. Internal threats, however, are often a blind spot and remain largely unchecked. On the other hand, protecting against insider threats can lead to a breakdown in trust and a culture of suspicion. So how do you ensure effective safeguards against insider threats while still maintaining a culture of trust and avoiding excessive surveillance?
Can you stay safe while maintaining trust?
A company is responsible for preventing insider threats within their organisation. It is their duty to obey the GDPR and privacy laws and regulations and that means that unfortunately, they simply cannot rely on trust alone for protection. After all, protecting the company not only ensures the livelihood of the business but also protects the roles of each of the employees. In other words, a benefit to the organisation is balanced by a benefit to its employees. And that is the key – balance!
Most companies insist that any new starters sign a confidentiality or non-disclosure agreement prior to employment but further down the line it’ is low levels of security awareness that are the most likely cause of a data breach that can lead to irreplaceable damage to the reputation of a company.
How does a company monitor insider threats without micro-managing employees or causing a breakdown in trust? There are business risks that needs to be addressed but not at the detriment to the trust between company and employee. Again, we believe the approach must be one of balance.
Create a culture of trust and harmony, train your employees well and only monitor what you absolutely have to. Be open and transparent about how, and when, monitoring may occur. Apply good policies and processes and re-enforce them in circumstances that require you to (like the move to home working during the pandemic). Monitor and review access levels rather than keystrokes and practice good housekeeping by closing user accounts immediately after an employee leaves the business and ensuring any equipment is returned straight away.
What else should you consider while monitoring employees?
There are also some limitations on monitoring employee activity which need to be considered. According to GDPR, the first of which would be ensuring that the minimisation of data collection comes into play. After all, monitoring employees with an iron fist will lead to increased amounts of personal data being collected.
Companies should take into consideration any labour and human rights laws before deciding just how much of a watchful eye they intend to place on their employees. Any monitoring must be justified and fair, must be put into writing and must be shared and understood by employees, contractors and vendors.