Insider threats are a major concern for companies around the world, but one which they have been slow to address. The number of insider incidents has soared by 47% over just the past two years, while the average cost of those incidents has also risen dramatically: by 31% to $11.45 million.
Insider threats come from three main sources says retired FBI agent Martin Jerge, who has over two decades of investigative experience working for both the Federal Bureau of Investigation and for a Fortune 100 corporation.
The first source is credential thieves, who are not themselves employees of a company, but who gain access to a company’s valuable data and trade secrets through gaining unauthorized access to the login information of one of the company’s actual employees.
According to Martin Jerge, that usually results from lax security protocols being implemented at companies. Without firm measures in place, employees can get away with or are even encouraged to engage in dangerous practices like account sharing and password reusing, making them highly susceptible to outside threats and more likely to mistakenly hand over their credentials in phishing scams.
Next are criminal insiders, who intentionally sabotage their employers by selling their confidential information to outside sources or who steal this information for their own personal use. These account for the fewest number of incidents but nonetheless represent a major threat and financial burden for companies.
Perhaps surprisingly, negligent employees or contractors account for the most insider threat incidents by far, at over 60%. These are employees who aren’t willingly engaged in espionage, but whose negligent actions open the door for others to do so.
Given the wide-ranging manner of incidents that result from their negligence, some of which lead to no financial harm at all, the cost per incident rate of these employees is less than half the others. Nonetheless, due to the sheer volume of incidents, they end up costing companies more money annually in damages, and prevention and investigation costs than the other two sources of insider threats.
Contractors Pose Particular Risks to Companies
Given the nature of their roles, the lack of training they receive, and their fleeting ties to a company, contractors pose a particularly notable insider threat to businesses, whether as malicious insiders or negligent ones.
Yet they pose a risk that companies appear more than willing to take, despite the clear awareness they have of the rising insider threat already besieging them and their continued vulnerability to those threats. 60% of them plan to expand their contract workforce in the coming years, citing improved productivity and reduced labor costs for their increasing reliance on contract workers.
Contract workers are often given the same systems access as full-time employees, including to cloud storage platforms that make detecting insider threats more difficult. And they are given that access without a commensurate amount of training related to security protocols and other company policies.
Given the grave insider risk posed to companies by contract workers, Martin Jerge, the former FBI agent and current corporate investigator shares several important methods they can use to update and upgrade their insider threat programs without alienating their contract workers in the process through privacy violations.
Work with Placement Companies to Adequately Vet Candidates
It’s undeniable that companies need to do more to vet their gig workers, whose credentials and licenses are rarely verified by companies like Instacart that rely heavily on such employees.
The easiest way for companies to undertake this process is by hiring through placement companies, which can carry much of the vetting load. They should have a broader understanding of the potential hire’s recent work history, skills, the potential risks they might pose, and how likely they are to fit well with the company’s culture.
For an even more thorough examination of their attributes, companies could consider sending an assessment test over to the placement agency, which might require a certain score or result before any contract worker is considered for a placement.
Provide Security Training for Onboarding Contract Workers
Contract workers with any level of access to sensitive data should be given thorough security training to ensure they’ll be in compliance with the company’s standards. If a company utilizes too many gig workers to make individual training sessions a reasonable proposition, they should instead consider developing their own video training courses to handle the load.
Enforce Enterprise Security Procedures and Practices for Contract Workers
It’s not enough to just train contract workers, companies need to actively enforce their security measures when it comes to these workers as well, which might include steps like multi-factor authentication for login attempts and using only whitelisted technologies while on the job. Companies may also want to consider conducting compliance reviews of gig workers to ensure that their security practices are up to snuff.
Maintain an Insider Threat Management Strategy
Many companies are now building insider threat strategies, though most are unsatisfied with where their programs are at. The development of these systems should jointly utilize many of the company’s resources to ensure a robust and efficient strategy, including its security, legal and HR departments.
Another important aspect of such a strategy will be ensuring that it doesn’t impact productivity and that it’s fully transparent so that employees understand their roles and what’s expected of them, as well as what steps the company will be taking to protect itself from insider threats.
Consider Using Artificial Intelligence to Curb Insider Threat Activity
Lastly, Martin Jerge recommends companies look into developing an artificial intelligence platform that can help oversee all of the activity taking place on the company’s network with an eye on uncovering suspicious activity that could represent an insider threat.
A 2018 study by the Ponemon Institute found that companies with AI platforms were able to detect and contain breaches quicker, saving them an average cost of $8 per compromised record. Despite the promising results, just 15% of companies had developed such AI platforms at that time.
On the other hand, companies which rely heavily on the use of IoT devices find it much harder to contain breaches, paying $5 greater than baseline per compromised record.
Share
Contributors
