August 17, 2018 Managing the threat from within
As a business leader where do you see your areas of greatest risk? Is Brexit one of your major concerns, or are you more worried about supplier volatility? Perhaps competition from new entrants to the marketplace is a cause for disquiet, or maybe you see sustainability or global warming as a long-term threat to organisational growth.
Whatever your risk list, there is one potential risk which can all too easily slip under the radar; the risk from within. The challenge of managing insider threats, those perpetrated by current or former employees or stakeholders, was highlighted in a recent Southwest Police regional cyber crime unit briefing. Warning that “significant damage can be caused to a company from anyone who has, or at one time had, access to confidential or proprietary information” the briefing highlighted the problems which can arise when people misuse the access which they have been given to IT systems or processes.
Deliberate or accidental, risks arising from the behaviour of people within the organisation can be harder to detect; particularly if there is a deliberate attempt to circumvent internal processes and systems. And as the cyber briefing comments, the majority of security incidents can be traced back to human error in some capacity.
So how do businesses manage internal risk? Well apart from making sure that you check the credentials of new employees and change passwords as appropriate when people leave, Southwest Police have recommended some other areas for consideration. These start with considering the use of the principle of ‘least privilege’; only providing employees with access to data and systems which they will need in order to complete their role. Match this approach with a segregation of duties which requires more than one person to sign off on business sensitive processes and payments and you could reduce the chance of the breach being perpetrated by a single individual; particularly if you also instigate regular monitoring of work patterns in order to identify unusual behaviour.
Other suggestions include implementation of regular cyber training. This should not only cover the more obvious areas such as phishing and business email compromise but also raise awareness about social engineering in which attackers can ensnare employees into revealing sensitive information. Not only does cyber training raise awareness, it also acts as the focal point for a business wide discussion in which employees are encouraged to take ownership of cyber risk and to report any concerns which they may have.
Risk management is one of the key responsibilities of a company board. When you are drawing up your risk matrix, this is a timely warning not to neglect the threat from within.