The recent unprecedented shift from onsite to remote workforces makes managing insider threat risk more critical than ever before. This article provides six actionable recommendations to help your organization protect intellectual property, personally identifiable information (PII), and other sensitive data.
Your organization is at risk daily for an insider incident, whether your workforce is onsite or not. That said, the millions of Americans working from home within the Covid-19 pandemic context increases the likelihood for a harmful insider incident.
Context Drives Insider Threat Behavior
In 2016, Wells Fargo was forced to fire 5,300 employees for opening nearly 2 million accounts in customers’ names without their authorization. Company leadership was aware that their unreasonable sales quotas were directly driving fraudulent behaviors.
Each Wells Fargo employee who engaged in, or condoned, the fraudulent behavior likely made the decision to do so at different points in time. The employees were influenced by seeing colleagues rewarded for meeting quotas vice being reprimanded for unethical behaviors.
Wells Fargo’s leadership had changed the context for desired workforce behaviors. This shift in expectations drove actions that resulted in long-term harm to the company’s corporate image and shareholder value.
Employees More Vulnerable, Whether Onsite or Off
The context for every employee dramatically shifted with the Covid-19 pandemic, making them more vulnerable to outside influence. This change is not limited to new remote workers alone though.
Research indicates that a quarter of remote workers were struggling with loneliness before the pandemic. Further, the effects of social distancing may increase suicides in the future.
Employees have had to fight for toilet paper, accept reduced benefits or promotion opportunities, and handle child/elder care challenges while facing rumors and disinformation campaigns about a recession and layoffs. Similar to the Wells Fargo case, the context that these influences create for an employee could lead them to engage in intentional or unintentional activities. The resulting harm to your organization may be the same.
Examples include an employee circumventing cybersecurity controls to get work done faster or helping an industry competitor (or nation state) seeking sensitive company data. That said, most intentional insider cases across all sectors are driven by financial motivation, such as rumors of layoffs, vice revenge or ideology.
Insider Incidents Will Likely Increase
Russian hackers are targeting US workers, remote employees are cutting cybersecurity corners, and Covid-19-themed cyber attacks are increasing. This creates a ripe environment for a costly, brand harming, stock decreasing, customer loyalty killing insider incident.
Last week, Twitter leadership admitted that they failed to adequately secure their systems and prepare their employees for social engineering attacks. The case reminds us of the importance of social engineering training as part of insider risk strategy to helping prevent harm to corporate brand and shareholder value.
The good news is that not all teleworkers have access to sensitive information. The bad news is that even teleworkers who lack access to sensitive corporate data may attempt to social engineer their way to gaining more access. We have seen this in multiple, high-profile cases. Think Snowden or Schulte if you don’t think your employees would ever do such a thing!
Recommendations for Managing Remote Workforce Insider Threat Risk
Is your company considering adopting or expanding more permanent telework policies? If so, how does your security team plan to address insider risk from a permanent remote workforce?
Six actionable recommendations to help your organization manage insider risk with your remote workforce include:
- Establish anonymous and confidential reporting channels for suspected insider activity. Encourage employees to speak up who would otherwise say nothing. Establish policies for ensuring discretion of information for employees that flag concerns.
- Facilitate an insider risk vulnerability assessment. This can help your organization identify any gaps in technology or human risk security controls and help with tool identification.
- Train your workforce on social engineering. Inform them on why they would be targeted, by whom, and how. The case of Su Bin selling F-35 secrets to China shows how much effort and investment of time that a well-resourced adversary will exert to gain access to proprietary data.
- Train your managers to recognize signs that employees may be undergoing stressful or life changing events. A proactive inside risk management strategy can help protect company data and your workforce concurrently. Federal insider risk management initiatives have successfully prevented multiple suicides.
- Provide your workforce an Employee Assistance Program (EAP). Consistently advertise EAP benefits and remind your workforce that EAP programs are confidential and do not require HR involvement. Highlight the value that EAPs bring beyond career coaching such as counseling on financial issues, stress-related illnesses, and more.
- Set employee expectations for remote workforce behaviors. How are expected behaviors being communicated to your workforce?
Context for your workforce to engage in either intentional or accidental insider behavior, whether they are onsite or remote, matters! There is no time better than the present to develop or reevaluate your approach to managing insider risk in the ‘new normal’.
Connect with GPSG’s Insider Risk experts at cyberteam@gpsg.co, we look forward to helping enhance your organization’s insider threat risk strategy.
Disclaimer: This website provides ever changing content, conversations, and insights on cyber threats and trending solutions that is accurate to the best of our knowledge. Although we are cybersecurity experts, we provide information which we hope is helpful, and do not endorse any specific products, tools, or solutions referenced herein. Consult with your cybersecurity team before taking any action.