‘Insider risk’ is the risk that something with a negative impact might be done by an employee, former employee, contractor or even a business associate. It’s a phrase that’s often used in reference to keeping intellectual property safe, or preventing business interruption from malicious hacking.
Most organisations that hold sensitive information, such as personal details, financial information and high-value intellectual property, have an insider risk policy in place as part of a big picture approach to security.
Some of those businesses manage their risk just fine. But often when a business is growing, changing its ownership structure, changing working environments (remote work, etc.) or even just putting a reactive insider risk policy in place, there are a few teething problems. One common problem is that long-time employees feel like they’re ‘no longer trusted’ when they’re asked to do things like use specific login details for specific tasks, or when their account activity is audited[i]. Also, when new policies and procedures aren’t distributed universally, it can be hard to make sure everyone’s on the same page. Communication and training around a new policy is a whole set of tasks and responsibilities in itself.
That said, it’s much easier than you might think to manage insider risk, whilst also minimising the impact on your company culture. By making a few tweaks to your attitude and your change management approach, you can make things a lot easier on management and staff alike. Here are a few tips.
1. Don’t ask ‘who’, ask ‘why’
When you’re designing your insider risk procedures, don’t think too much about who is allowed to access certain areas or files or functions – ask why they’re doing so. Doing this may help prevent some of the breaches that occur when access is really locked down to a person or a small group, but that person can do whatever they like. For example, a disgruntled manager who has access to the financials to do payroll or project management, might transfer money or make an unauthorised payment.
Doing this basically means setting up your access controls so that all someone’s ‘usual’ activities are set up or logged in the system, and when they try to do something unusual, they’re asked why. So using the example of that disgruntled manager, they might be given access to the financial side of the business management software but for payroll only, and in view-only mode for project management. If they tried to write off a dodgy expense and hide it in a project, the system would ask them why and send the answer to other stakeholders, perhaps delaying the payment until approval was received.
Looking at things this way also helps to control non-malicious or non-intentional insider risk. For example, a staff member in an office might want to download a program that they’ve stumbled across because they think it’ll help them do their job quicker. What they might not know is whether that piece of software actually carries malware in disguise that could harm the business’s networks in some way. This risk could be averted by blocking people from downloading .exe files, and making them check in with the IT person or senior manager first. The staff member would then explain why they’re trying to download a file, and they’d either get the go-ahead, or be given a secure alternative.
This approach is based on a theory known as IBAC – intent based access control. If you’re interested in reading about the ins and outs, check out the original author’s work[ii].
2. Put your assets in security priority order
It’s probably not practical to put all your digital and physical assets under the same top-tier, lock-and-key, secret-agent level of security. If everyone had to do three levels of biometric access control just to get in and out of their own cubicle, and take constant polygraph tests to detect malicious intent, they’d probably be pretty cranky. That’s why it’s important to a) know what your assets are, and b) put them in security priority order. And to do this, you’ve got to do a risk assessment.
You may have already done this as part of your big-picture approach to security, when you were working out how to protect against outside risks as well. But if you haven’t, here’s how it’s done. Start by listing all your assets in column 1. In column 2, list the threat that asset faces (you might have multiple threats, so start a new line in column 2 for each one, but keep the data in column 1 the same). In column 3, write the vulnerable point/s where that threat might occur. In column 4, estimate the likelihood of that vulnerability being exploited (use a scale of 1-5, for example). In column 5, estimate the cost were that vulnerability to be exploited. Then use your sweet Excel skills to sort by cost and likelihood.
The most likely and expensive risks should be your top priority. These are the assets/attached risks that should be the most restricted, to only senior personnel, for specific purposes. Concentrate your efforts here – don’t spread yourself too thin – and you’ll feel a lot better about the whole thing.
3. Basic security awareness training
Your employees may not have experienced a rigorous security culture before. Their previous workplaces might have had very different standards, or they might not have learned about physical security and information security at uni/TAFE. In short, there’s lots of different reasons why it might take people a while to put their security thinking cap on, so to speak.
One of the ways you can speed up this process and make sure everyone’s on the same page is to implement basic security awareness training. The training should cover basics like threat awareness, terminology, and basic best practice. This doesn’t have to take as much time or money as you might think. In fact, online training could give you the scalability and flexibility you and your staff need.
Speaking of basic training, Money101 has a great module available now – Introduction to Information Security. It’s easy to understand, so it’s suitable for a wide audience, yet it’s high impact and could help prevent an expensive loss in your organisation. The module can generally be done in under half an hour, and because it’s online-based, your team can do it in their own time, at their own pace.
Contact us for more details about getting Introduction to Information Security for your team. We’re here to help make insider risk management even easier.