Business leaders don't understand insider threats well enough. Source: Shutterstock

Business leaders don’t understand insider threats well enough. Source: Shutterstock

A guide to insider threats for business leaders investing in cybersecurity

CYBERSECURITY is something every business leader cares about — but they need to understand cyber risks more closely in order to protect their organization.

One of the most important aspects of cyber defense that most business leaders seem to neglect is “insider threats”. These are simply threats arising from inside the organization and are quite significant in terms of the exposure they create for a business.

According to a recent Marsh & McLennan report, 75 percent of companies believe they have appropriate controls to mitigate insider threat — but more than 50 percent of companies had a confirmed insider attack in the past 12 months.

As organizations move to a digital-first world and program their business to run on data assets, understanding, monitoring, and mitigating insider threats is key to survival, especially as consumers grow conscious about data privacy and regulators demand that businesses be more proactive with cybersecurity.

The report identifies a few misconceptions among business leaders when it comes to understanding insider threats:

# 1 | Good company culture is an effective defense

While good company culture is important, it is in no way an effective defense against insider threats.

Employees might have interests that aren’t aligned to those of the company, which is what might motivate them to find ways to cause damage to the organization.

# 2 | Insider threat only relates to exfiltrating data

Exfiltrating data is one aspect of the damage that an insider threat can cause — and that’s something an effective data loss prevention (DLP) program can prevent.

Other kinds of damage that an insider threat vector can cause include deleting, altering, and manipulating data.

# 3 | Recruiters can weed out potentially malicious employees

Recruiters are usually exceptionally capable of interpreting what candidates really intend to do in a new job, however, the reality is that not all internal threats start the job with malicious intent in mind.

Often, economic or personal circumstances might push employees to alter their actions, behavior, and intentions.

Marsh & McLennan’s advice: Start small and stay focused

Through the report, Marsh & McLennan company Oliver Wyman’s Partners Rico Branden and Paul Mee are of the opinion that implementing an effective insider risk program requires a design tailored to the specific culture, processes, and risks of the organization.

“It’s important to start small and focus on a clearly defined high-risk employee sub-group to work through the organizational issues that need.”

Understanding and managing insider threats, and for larger organizations, fine-tuning an intricate insider risk management program can take a while.

In order to ensure success, business leaders need to start with risk identification and assessment, design a pilot based on use cases and scenarios, and finally test the pilot to see if it is sound or needs to be expanded.

Finally, rolling out to high-risk employees followed by other divisions and departments is key — but it’s important to highlight that the process, like in any cybersecurity workflow, doesn’t end with implementation. It needs continuous monitoring and improvement in order to stay effective.

“With insider threat only increasing in prominence, organizations simply cannot afford to ignore the threat. Getting it right will deliver clear benefits, but delays could be costly.”

“Take a proactive approach to managing insider risk – start small, but start now,” concluded the duo from Oliver Wyman.