In today's fast-paced business world, small and medium-sized businesses (SMBs) often find themselves racing against time, striving to carve their niche and make their mark. Amid the hustle and bustle, one critical factor often overlooked is cybersecurity. Yet, the digital age has brought many threats, including the looming specter of insider threats, which often leverage cyber means.
Whether through malice or negligence, the actions of trusted employees can potentially jeopardize the very fabric of your organization. In this article, we embark on a journey to demystify the realm of insider threats, armed with practical solutions tailored for budget-conscious SMBs. It's time to safeguard your business from within and fortify your defenses against the unforeseen.
Let’s define what an insider threat is
An insider threat is the potential for an insider (someone who has authorized access to or knowledge of an organization’s resources, like a system administrator or even a former intern) to use their trusted access or understanding of an organization to harm that organization either intentionally or unintentionally
When you think of insider threats at companies, you probably think of intentional acts of harm, like an employee stealing bank account passwords or a disgruntled IT employee creating a workaround for a potential partner in crime to bypass a zero trust security measure. But insider threats can be accidental as well. Consider how often a well-meaning but somewhat careless employee carelessly clicks on a malicious link in a phishing email or leaves a financial statement face up on their phone in a crowded restaurant. Whatever the case, the common factor in all these situations is that the risk of harm—big or small, intentional or not—can come from any person inside the organization or even a trusted third party or vendor. The commonality here is access.
Insider threats affect small businesses, too
Insider threats are a growing problem for SMBs. Look, I get that your small business resembles a close-knit team where members can feel like family and trust runs deep. In this environment, insider threats tend to be an afterthought (if even a thought at all). Why would a team player hurt the team? That makes absolutely no sense! In this case, establishing an insider threat program is comically dismissed with a casual shrug. It’s easy to imagine business owners saying, “Insider threat? We have a great culture. That couldn’t happen around here.” The notion of an insider threat is as distant as the moon.
Factor in the limited budget, and it might tempt a business owner to consider alternative investments, perhaps in the realm of marketing wizardry. Yet, here's the catch: it takes just a single misstep from a well-intentioned (but potentially careless) or disgruntled employee (with an ax to grind) to unleash chaos in the realm of SMBs. Chaos could take the shape of a website being offline, a customer relationship management system being inaccessible, or a data breach—all leading to a loss of revenue. One study found that nearly 1 in 3 data breaches stems from an inside threat and can cost up to 20% of annual revenue.
But don't worry; you can take plenty of practical steps to protect your business from insider threats, whether intentional or accidental. You might already have some of these solutions at your fingertips, or you can find them in the vast world of external resources. So, let's dive into the journey of demystifying insider threat mitigation.
SMBs might not feel they have the resources for an insider threat program, but they actually do! And trust me, you don’t need to be a Fortune 500 company to benefit from an insider threat program, either. Let me walk you step-by-step on how to build your insider threat program.
1. Devise a way to classify your data based on sensitivity
The first step to building an insider threat program is to classify data. It's essential to identify which data is sensitive and warrants extra protection. Think of it this way: If the data will help a competitor, you must protect it. There are a few ways to do this, but I recommend you focus on how sensitive the data is to you and your business. Does it have low, medium, or high sensitivity?
Low - All widely available public data, such as what is listed on your website or stuff you post on LinkedIn.
Medium - All protected data that lacks confidential information, such as emails, Slack messages, or online company documents.
High - All protected data, including confidential information, such as credentials, financials, or customer data.
Once it is classified, you can now easily see what is least to most valuable to you. Then, your protection of said data should align with its classification: Low has no/minor protections, and high has the most protections. I’ll add that this step is critical because if someone does walk away with your data, law enforcement won’t be able to assist you if you don’t try to protect your data. Period.
You must develop a policy to label data accordingly to do this well. This doesn’t have to be too complex, but it needs to ensure all data is classified. Here are some tools to do that:
I really like Cyera. Cyera leverages AI to review all your data and classify and protect it properly. This means you don’t have to rely on your employees to guess correctly what a given classification should be.
There are other tools that are less sexy, that allow employees to mark that classification label. This does allow for user error (and thus insider threat), but are better than nothing. A good example is the Forta subsidiary, Bolden James.
After you have your policy and data adequately classified, you want to ensure your team continues to maintain the data set. You will need to ensure they fully understand why it is essential and how to sustain it, or else you risk your classification system becoming antiquated. This also overlaps with the need for ongoing training and awareness (see below).
Once the data is classified, the next phase involves implementing stringent access controls based on this classification. Access to the most sensitive data should be restricted to only those who need it for their work. This approach ensures that critical information is only accessible to authorized personnel, significantly reducing the risk of internal breaches or leaks.
2. Initiate robust access controls
Implement measures to ensure that only authorized personnel have access to sensitive information. This can be effectively managed through Role-Based Access Control (RBAC). As the name indicates, it controls data access based on the user’s role within your organization. For example, your head of marketing would have access to marketing material but not financial material.
When thinking about developing access controls, ask yourself these four questions:
Who has access to what?
Should they have access to it?
Where is your data stored?
Should it be stored there?
Let me expand on these a bit.
Many people don’t like change, and if you go in and remove someone’s access to a system, team, or calendar, for example, expect some pushback. This is human nature. People don’t like to have things taken away. However, this needs to be explained from the top down. Employees need to understand WHY the company is reviewing access controls, and they should expect some changes to protect them and their jobs. People need to hear what the benefit to them is. So, with all these recommendations, explaining the why and the what is essential.
With data storage, employers often fail to review where sensitive data is stored, which can mean it ends up in places that are not appropriately managed, locked down, or sometimes [ouch] public. Scrub those access lists and ensure former team members or employees are removed from them when they either change positions or are terminated.
3. Implement a training and awareness program
Consider your insider threat program as a building where training and awareness form the foundation. No matter how advanced your security tools are, the program will falter if your workforce isn't educated on crucial aspects. They need to understand what to look for, recognize red flags, comprehend the importance of reporting, and know the procedures for reporting. They also need to understand how THEY can put your company at risk.
To address this, regular security awareness training sessions should be conducted. Go beyond one-time training sessions and run training programs throughout the year. These sessions should educate employees about the nature of insider threats, using real-life scenarios and case studies for better understanding. Utilizing internal, anonymized case studies can be particularly effective, as they demonstrate the reality of these threats within the confines of your organization. Be creative and think outside the box when it comes to training. Some fantastic vendors can take this off your hands, doing things like gamified training, escape rooms (physical and virtual), eLearning, and even cool Hollywood-style videos and virtual reality courses. Whether you do it yourself or outsource it, there is an incredible return on investment in employee training. “A recent study by Accenture actually found that every dollar spent on training got a $4.53 return, generating an ROI of 353%.”
Additionally, training employees to identify and report suspicious activities is crucial. This empowers them to act as vigilant participants in your security strategy, significantly enhancing the overall effectiveness of your insider threat program. You can never train potential malicious actors away, but you can train your whole workforce to understand when, why, and how to report concerns, which gives you a bigger picture of what is really going on inside your organization.
Pro-Tip: One fun exercise I like is creating campaigns that encourage employees to think outside the box. For example, everyone is pretty tired of those phishing simulations, where you are terrified of every incoming email for fear you will fail the test and are shamed into retraining. Instead, host a competition where employees must create the best phishing email. Help them think like bad actors—bonus points if they use AI—to increase awareness about how easy it is to do! Award winners with swag or gift cards to bring in positive engagement.
4. Build a security awareness culture
Creating a security awareness culture is akin to building a neighborhood watch program within your workplace, whereby your entire company practices vigilance and awareness, transforming employees from potential security risks into a robust first line of defense. A well-informed team is not just a team; it’s a fortified barrier against insider threats.
Here are some things you can do to build such a culture:
Establish clear security policies and procedures. Strive to develop comprehensive policies covering password management, data protection, acceptable use of technology, and incident reporting. Make these policies accessible to all employees by placing them on the company intranet, providing printed copies, and incorporating them into onboarding materials.
Implement regular security awareness training. As I shared in my second point, run training programs yearly and keep them creative! Include references to the above policies so employees can’t claim ignorance. Also, always give best practices for employees to share with friends and family.
Promote a culture of open communication and reporting. You must encourage employees to report suspicious activity without fear of retribution. This means you must establish clear channels for reporting, such as a dedicated email address, hotline, or anonymous reporting system (nothing too crazy; an anonymous Google Form would do the trick). Strive to foster an environment where employees feel comfortable asking questions and raising concerns about security issues. You may have a nonretaliation policy, but do employees still fear retaliation? Ask yourself why.
Ensure you are utilizing positive reinforcement. A positive and respectful culture yields numerous benefits across all sectors. It enhances productivity, attracts and retains top talent, and is critical to higher profitability. Here are some things I like to do, which are pretty easy to do:
Reward employees who complete security training, report suspicious activity or suggest improvements to security practices.
I also like to recognize and celebrate individuals who go the extra mile to promote security awareness within the company. For those people, I will offer awards, gift cards for a nice dinner, and cool swag, make them security champions, and bring them into the team. You could even offer an extra day off as a reward for supporting the security culture!
A strong security awareness culture will create an environment where employees are well-versed in security best practices, engaged, respected, and positive. It will have a lasting positive impact on you and your entire company.
5. Prioritize employee lifecycle management
SMBs are increasingly vulnerable to insider threats in today's interconnected business world. One potent, yet often overlooked, defensive strategy lies within effective employee lifecycle management.
Employee lifecycle management refers to managing the various stages an employee goes through as they engage with their company, from recruitment to exit.
Don’t tune out just yet… this holistic approach encompasses the entire journey of an employee within the organization – from attraction, recruitment, onboarding, career development, retention, and finally, offboarding or termination. By focusing on this employee lifecycle, SMBs can create a skilled, productive, loyal, and security-conscious workforce. This also costs the least to implement.
Let me walk you through some of the highlights regarding employee lifestyle:
Attraction - I recently spoke with a federal government agency. They expressed concern that many employees were very disgruntled because they were working in jobs that did not align with what they were hired to do. When advertising an open position, be honest and transparent about expectations and responsibilities. For example, if they can’t have a cell phone at work, it is best to mention that right up front. If not, and you hire them, you will quickly have an insider threat when someone feels angry that they didn’t know the phone rule.
Recruitment - I have found that ensuring new hires possess the necessary skills and align with the company's values and culture reduces the likelihood of future internal conflicts, thus lowering the possibility of an employee becoming an insider threat. This can’t be stressed enough - if someone looks good on paper and interviews competently, it does NOT mean they are an ideal cultural fit. You must explore if they are a good fit for you, and vice versa, to reduce the probability of future insider threat acts.
Onboarding - A robust onboarding program can instill a strong sense of belonging and understanding of company policies, including data security and confidentiality. Here is your chance to demonstrate your security culture and give the appropriate training to back that up. Talk up your security culture and help them understand they are now a part of it.
Career development - As employees progress within the company, offering career development opportunities (that do not have to be only related to their current role) and recognizing their contributions can foster loyalty and satisfaction, critical deterrents against insider threats. In fact, your team will significantly benefit if they learn new skills and will be more likely to stay with your company when you invest in them.
Retention - This is another touchpoint where you show your employees through actions—not just words—that you value them. Have they been around a long time? Give them a paid sabbatical. Are they curious about another department in the company, offer them a few months to work on a new team to learn new skills. Bonuses, working from home, and meeting-free workdays are all ways to keep employees engaged and happy. Showing your employees you value them helps them value you.
Offboarding - Finally, a respectful and comprehensive offboarding process can help ensure that departing employees retain a positive view of the company while mitigating data theft or sabotage by employees who might not be leaving on good terms. A highly functional offboarding process (including an offboarding checklist that everyone uses) can be used to spot and flag potential threats. It is also a great way to level-set after-employment expectations and remove persisting system access. Sometimes, a well-intentioned manager might ask a departing employee, “Hey, is it okay if I reach out to you and have you walk me through any complications should they emerge? You should still have system access for a few weeks or so.” That is a no-no, and your offboarding process can serve to catch it!
Each stage of the employee lifecycle allows SMBs to reinforce their defense against internal risks, making it a vital yet cost-effective strategy to safeguard their business.
Let’s get into some bonus, next-level stuff you should also do!
Bonus Content: Ways to enhance your insider threat program
This is a rapid-fire round! There are myriad other ways to improve your program and mitigate your risk that we can highlight, which all require investment, to include:
Monitoring and Detection
Set up monitoring tools to track employee activities and network traffic.
Establish baseline behaviors and alert thresholds for suspicious activities.
Pay special attention when employees leave the organization to prevent insider threats during the transition from employment to offboarding.
Behavior Analytics
Utilize behavior analytics tools to identify unusual or risky behavior patterns.
Implement user and entity behavior analytics (UEBA) solutions, if feasible.
I highly recommend newer tools that utilize AI to detect potential insider threat activity before it has happened (yes, it is very Minority Report).
Technology Investments
Invest in cost-effective security technologies, such as Security Information and Event Management (SIEM) systems, that can help detect and respond to insider threats.
External Support
Consider leveraging external expertise or consulting services, especially if resources are limited.
Implement Data Loss Prevention (DLP) solutions to monitor and prevent data leakage. They will help ensure that sensitive data does not leave the organization without authorization.
Conclusion
While the fast-paced business world can make cybersecurity seem like an afterthought, a proactive approach is essential. By implementing practical solutions such as classifying your data, initiating access controls, implementing a training and awareness program, building a security awareness culture, and prioritizing employee lifestyle management, SMBs can significantly reduce their insider threat risk. By taking these steps, you will safeguard your valuable data, protect your reputation, and ensure the continued success of your organization. Don't let insider threats become the silent enemy within—take action today and build a more secure future for your business before the bad thing happens.
Shawnee Delaney is the CEO of Vaillance Group and spent nearly a decade with the Defense Intelligence Agency (DIA) as a decorated Clandestine Services Officer. She supported the Department of Homeland Security (DHS) in protecting U.S. critical infrastructure and is a globally recognized expert in Insider Threat and Human Risk Management. She holds an M.A. in International Policy Studies with a Specialization in Counter-Terrorism and Counter-Proliferation, an M.S. in Cyber Security, and is currently working towards her third M.A. in Industrial-Organizational Psychology.
About Effortlo
Effortlo is the world’s only marketplace for security resources that helps companies operate a lean and efficient security program by providing effortless access to a wide range of global experts with one agreement and one payment. With transparent pricing and a hassle-free (Airbnb-like) model, effortlo allows customers to work directly with security experts to expand their capabilities, meet deadlines, and stay within budget. We're also the only platform enabling any validated security expert to discreetly promote their skills and expertise to the greater security community.
About Decoding Cyber
Decoding Cyber aims to simplify and explain cybersecurity concepts in an easy-to-understand manner. The founders created Decoding Cyber because they felt cybersecurity had become too complex for most people who need it. They recognized that the growing and evolving cyber threats, combined with the industry's complexity, made it difficult for businesses to address cyber matters effectively. By providing simplified explanations and content, Decoding Cyber aims to help businesses and individuals make informed decisions about cybersecurity without getting lost in technical complexities.
Comments