Why businesses need a strategy to combat the enemy within
Originally published at CFOTech
Worried about the prospect of your organisation falling victim to a hacking attack or data breach?
A seemingly continuous stream of attacks on local organisations has put Australian enterprises of all stripes on high alert – and with good reason.
Not only is the threat of cyber-compromise or attack real and rising, the cost of responding to and recovering from an incident has never been higher.
Along with the bills for remediation, repair and legal advice, it includes the loss of productivity if operations are knocked out of action, as well as the dent to reputation that can result from negative publicity.
A publicly-listed property valuation firm in Australia experienced two significant data breaches earlier this year, resulting in the loss of major customers, the departure of a CEO and a bill of at least $7 million.
But while strengthening your organisation’s external defences with the latest tools and technologies makes sound sense, it’s only half a battle plan.
Insider attacks, by individuals who have at some point been granted access to systems and data, can be as much of a risk as attacks from outside an organisation – and sometimes harder to detect.
Research suggests they account for more than a third of attacks, and current and former employees, business partners and contractors all represent potential vulnerabilities.
The issue is exacerbated by the fact that digital transformation has opened many organisations up in unprecedented ways.
Sensitive information that was once kept under lock and key in the corporate data centre is now accessed and exploited across the enterprise, by companies keen to gain a competitive advantage.
Given this, developing a program to mitigate insider threats is an imperative for organisations across Australia and New Zealand.
So, what steps are needed to put one in place?
Create a key stakeholder group
While cybersecurity has traditionally been the remit of the ICT department, mitigating insider threats isn’t a job for a single person or business unit.
The most successful insider threat programs are multi-disciplinary efforts which pull together teams comprising security and risk specialists, human resources professionals and legal experts.
Together, they can provide all the pieces of the puzzle.
Security professionals are au fait with the organisation’s sensitive data, know where it’s stored and are familiar with the myriad ways insiders can abuse their privileges.
HR departments are responsible for the human element: ensuring employees are clear about their responsibilities and managing the disciplinary process, should a violation be detected.
Legal departments have a less hands-on role to play but their input is vital in determining the thresholds for malicious intent and the consequences of actions.
Modelling the dangers
Mitigating insider threats begins with identifying those threats that are of greatest concern.
The size and nature of your enterprise will determine what these are likely to be.
For some businesses, it may be the theft of sales data while for others, it could be the loss of intellectual property.
Ranking the risks you face, in terms of seriousness and likelihood, allows you to develop commensurate prevention and response plans.
Developing a critical watch list
Once key threats have been documented, it makes sense to develop a ‘watchlist’ of teams and departments, which have the most opportunity to misuse data and compromise critical systems.
For example, sales, finance and executive leadership teams typically have access to customer lists, financial performance data and intellectual property.
Meanwhile, IT professionals have the opportunity to pull off the ultimate insider heist, given their intimate knowledge of security processes and procedures.
Other potential bad actors include customer service agents, privileged third parties— including contractors and partner organisations—and software developers who have the opportunity to build vulnerabilities into new systems from the outset.
Develop technology-supported processes to reduce the risk
When it comes to cybersecurity, there are no infallible measures.
Hence, the focus should be on putting controls and processes in place to mitigate key risks. Ways to do so include:
filtering potential perpetrators by conducting pre-employment checks;
putting confidentiality and code of conduct agreements in place;
reiterating policies and practices in regular training sessions;
deploying technologies that can prevent, detect and mitigate insider threats quickly, like multi-factor authentication;
reviewing employees’ data usage patterns prior to their departure, whether voluntary or involuntary, to ensure valuable corporate data isn’t leaving the premises with them.
Time to act
In today’s digital business landscape, cybersecurity is too important to leave to chance.
For enterprises that value their data, reputations and financial viability, it is essential to put systems in place to identify and mitigate both inside and outside threats.