Watch out for the enemy within

Quick – name a security risk to your business that represents over half of security attacks.

Did you think “people inside my business?”

Probably not. Yet the 2015 IBM Cyber Security Intelligence Index found that over half of security attacks came from within: 31.5 per cent from malicious insiders and 23.5 per cent from inadvertent actors. And this is no exception; security studies consistently demonstrate that the majority of issues originate within the victim organization.

The popular paradigm of the mastermind hacker is misleading – there is an inherent risk in business/partner relationships. Anyone with privileged access to data and IT systems poses a serious threat.

It’s called insider risk. And “insiders” means everyone from former employees to current ones to contract workers and business partners.

The motivation for an intentional internal attack can range all the way from financial gain to extortion. Cyber security can also be compromised by carelessness – weak passwords and lost devices.

There are ways to mitigate. Considering incorporating an insider risk management program, with the following components:

  1. Engagement and hiring

Have contracts in place that clearly outline your security policies and procedures when hiring employees and engaging contractors. Your contract should also seek explicit legally binding consent for your organization’s monitoring and enforcement programs; this exercises appropriate, lawful due-diligence that will protect the corporation in the event of a cybersecurity infraction.

  1. Training and education

Training and education should occur on a continuous basis, not just when onboarding. This keeps security top-of-mind; it ensures everyone understands your cyber risk policies and procedures; it keeps everyone up-to-date; and its helps protect you from carelessness. Ultimately, it makes your organization better able to identify, understand, resist and respond to cyber threats.

  1. Risk assessment policies and procedures

Technology never sleeps. Periodically, assess policies and procedures to identify and prioritize changing requirements. Then implement any required changes – using straightforward explicit language – to ensure ongoing safe use of IT systems and data.

  1. Monitoring and enforcement

Procedures are only effective if they are monitored. Be diligent in assessing and routinely testing that anyone with access is compliant with your procedures. During high-risk periods, consider enhanced monitoring, encouraging everyone to promptly report any suspect behaviour.

  1. Incident response plan

Create a comprehensive plan that responds to insiders who are suspected of having caused or contributed to a cyber security incident. Then test it.

  1. Disengagement

When disengaging an insider, follow appropriate, lawful procedures. To minimize risk:

  • Revoke all access to the IT system
  • Retrieve organizational assets, such as storage and computing devices
  • Take steps to ensure that no privileged information exists on a personal computer, including reminding the employee of their legal obligation to return or delete any company information upon termination.
  • Remind the insider of their ongoing legal obligations to the organization, to dissuade any retaliatory action.
  1. Physical and technological

Hand-in-hand with your administrative policies are physical (e.g. entry cards) and technology-based security systems. Each of these should be able to detect and prevent unauthorized access, seeking a lawful and reasonable balance between security and suitability in the workplace.

Monica Goyal
Monica Goyal
Monica Goyal, Entrepreneur, Lawyer and Innovator is the founder of Aluvion, a legal solutions company offering technology, paralegal and lawyer-driven solutions with a special focus on the quality, cost, and accessibility of legal services for both businesses and individuals. Monica began her career working as an engineer in R&D for companies like Toshiba, Nortel and Nokia while earning her Masters of Engineering at Stanford. Monica's history conditioned her to solve problems in a efficient and tech-savvy manner, an approach she brings with her to legal solutions. Monica currently sits on the Canadian Bar Association's Futures Initiative, and will be teaching a course on Legal Technology at York University’s Osgoode Hall. She was recently named one of 10 Women to Watch in Tech in the Journal of the American Bar Association.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Blogger Spotlight

Latest Blogs

ITB in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.