One of the most common questions we get from our clients is how much they should worry about the cybersecurity risks posed by their organization’s own employees. They often want to know whether their biggest risks are internal or external. Quite often, they’re surprised by the answer.
According to the Verizon Data Breach Investigations Report (DBIR), data breaches are far more likely to be caused by external attackers than any other source. In fact, the 2022 DBIR’s data showed that breaches of outside origin were four times more prevalent than those caused by insiders, a ratio that’s been roughly consistent since the report was first published in 2008.
This finding mirrors our experience as well. It’s not that insider risks aren’t real, or that insider-based attacks can’t be damaging. But it is the case that, statistically speaking, external attacks are more prevalent, and we advise you to start there when adopting a risk-based approach to cyber threat mitigation.
Once you’ve matured and stabilized your external threat prevention program and mastered the fundamentals of network and application security, turn your attention to building a risk-based, practical program to manage insider threats. This isn’t solely a cybersecurity problem or an IT problem, and it can’t be addressed just by limiting logical access or implementing technical controls. Instead, you’ll need to take a cross-functional approach, ensuring that leadership understands the importance of the issue and supports collaboration to address it.
Adopting a Risk-Based Approach to Insider Threats
Taking a risk-based approach to insider threat prevention starts with identifying the things that could happen that would truly be problematic for your organization. This will be different for every company. We advise our clients to convene a cross-functional team of people with strong institutional knowledge who understand which material risks are the most significant to the organization.
Your organization’s key risks might include:
- lost revenue
- reputational damage
- fines or monetary penalties
- compliance violations
- loss of intellectual property
- downtime or other operational disruptions
There are a wide variety of insider-initiated activities that could take place to cause these negative outcomes. The risk-based approach entails understanding which malicious or accidental activities would have the greatest impact on the business by derailing important initiatives or compromising its ability to compete and succeed as an organization.
Be sensible and practical when you’re conducting this analysis. Don’t over-engineer it. Instead, focus on what’s most important. Review the scenarios in which insiders could cause this sort of damage. If a particular employee has privileged access to critical systems, what sorts of harm could they cause? Should their responsibilities instead be distributed across a team of people? Are there monitoring controls that you could implement—and, ideally, automate—that would give you better visibility into whether something’s amiss? Follow data flows and seek opportunities to eliminate manual steps that could accidentally harm the organization - think processing errors, accidental disclosures of sensitive data.
Building a System of Monitoring and Control
When it comes to managing insider threats, functional areas of a business are dependent on one another. For example, a lack of purchasing controls over cloud storage can lead to a massive data breach. Weak access provisioning can lead to increased fraud risk. When addressing insider threats, bringing together people and expertise from different functional areas is essential. The goal should be to create a system of monitoring and control that spans the entire organization, encompassing people, processes, and technologies to ensure that there’s awareness and vigilance about what’s taking place among employees.
In addition to having effective logical access control and change management, focus on areas involving money and data. Strive for a well-controlled procurement process where spend is monitored, including review and approval. The more centralized visibility you have over what people are buying and who they’re engaging with, the better. It’s always a good idea to have formal channels for vetting transactions with third parties. Lastly, make sure you extend your monitoring to credit card purchases.
Human Resources has a pivotal role to play in insider risk management. This begins with proper vetting and screening of new hires to ensure that the organization isn’t engaging employees with disreputable pasts who might be more likely to commit fraud or other malicious acts. HR controls extend to companies that embrace performance management. Actively addressing performance problems can help eliminate future potential insider threats.
Operational areas like IT can look to the accounting department and Controllership for examples of how to build routines and regular automated reporting processes designed to identify instances that fall outside the bounds of normal business activity. When it comes to reducing insider threat risk in cybersecurity, ongoing monitoring can do a great deal. Lastly, when incidents happen, identify the root cause and implement measures to prevent future occurrences.
Ultimately, building a system of control—where insider risks are sensibly managed—is good for the business. It’s a mindset that the leadership teams should collectively value.
Interesting in learning more about building processes that will reduce risks and benefit your business? Check out our expert-led Governance, Risk and Compliance Services. Or get in touch with our team to schedule a free, no-obligation consultation today.