Security teams have been tackling external threats like ransomware and phishing for decades. It’s a simple mission: identify the threat, stop the attack by blocking, and prevent it from spreading. Urgency becomes a top priority – to ensure the team can contain the situation before bad actors get their hands on too much information or compromise the company’s systems.
Recently, data threats from other origins have become a more looming and present hazard. Companies are starting to realize that data leaks, loss and theft from internal sources pose just as much danger to an organization’s valued data and bottom line. Many security teams today don’t know that external and internal data threats require different approaches – in fact, they should tackle insider risks with an opposite mindset.
Define the internal threat
Insider risk, while not new, has become more prevalent over the past few years. For today’s highly- distributed workforce, use of collaboration tools and cloud destinations has reached an all-time high. Valued corporate data – customer information, financial insights and highly confidential trade secrets – moves between personal devices, unprotected email addresses or unsanctioned sharing services with little to no oversight. This opens up companies and employees to potentially oversharing information, whether intentionally or accidentally.
Companies of any size and specialty can fall victim to insider risk. This year alone, we saw a former Block employee download information belonging to CashApp customers; Cartier sued Tiffany for stealing trade secrets; and a former Apple car engineer pled guilty to stealing trade secrets. Although these all were cases of malicious data theft, what about the non-malicious data exposure events that could disrupt the business? Take, for example, the CFO who accidentally shared to her entire company a document entitled, “Restructuring.” An accident on the CFO’s part, think of the potential employee unrest of that event. For a public company, that could trigger a RegFD filing and impact stock trading and price.
This organization’s security team caught the CFO’s mistake quickly, but when it came time to address the CFO, was it appropriate to be heavy-handed like for an external threat? Or does a CFO making an honest error deserve some grace and in-the-moment corrective education? Security teams need to take an empathetic approach to potential breaches and data exposure; it’s the better, more productive option.
How to approach internal data exposure risks
Members of the security operations center (SOC) team are experts in preventing, detecting and responding to external cybersecurity risks that threaten their company’s assets or reputation. However, they are much less experienced in investigating and responding to potential insider risks.
More than 50% of internal events are non-malicious, like those of our CFO friend. This means, typically, an employee simply tries to do their job, but made a mistake, took a shortcut or found a workaround to a complicated process. While a company’s information is at risk whether the intent was malicious or not, assuming the worst and treating employees in a hostile manner often backfires.
Instead, when responding, approach each case with empathy, assuming the employee made an honest mistake and wants to learn how to do better in the future. These instances should include a team consisting of stakeholders from security, HR, the employee’s leader and maybe even legal because of the sensitive nature of confronting colleagues. Each investigation should consist of a few important elements:
- Ensure the team has accurate situational context: It’s easy to assume malicious intent before the team gets the full picture. Withhold judgment until someone from the team has spoken to the employee in question, and take their word when it’s presented to them. HR leaders can help work through unconscious biases to ensure the investigations team approaches each potential threat with a blank slate.
- Communicate the security team’s perspective: Often, employees are unaware that their action isn’t allowed. Whether security training hasn’t been thorough enough or recent enough, it’s not uncommon for the desire to get the job done to overtake a cybersecurity lesson learned months or years prior. Security and legal team members can explain in a way that each employee can understand why certain platforms or accounts aren’t sanctioned paths as well as re-share and reinforce existing data handling policies.
- Educate and move forward: It’s important to not only outline what went wrong in that instance, but also educate employees on a better path to accomplishing similar tasks in the future. Providing this insight in the moment, as close as possible to the incident occurring, makes the lesson more likely to stick long-term. Security teams will also need to take action – there’s always the possibility that an insider breach was malicious and the team needs to deal with it appropriately. In those instances, the security, HR, leadership, and legal investigations team should meet to determine the best next steps based on company protocols.
By creating a culture of trust among colleagues, organizations will protect themselves better from both malicious and accidental breaches. Addressing insider risk with empathy can help keep employees engaged and productive, while ensuring a company’s valuable data stays safe and secure.
Jadee Hanson, CIO and CISO, Code42