Insider threats pose a major risk to any business, whether it’s from intentional sabotage or theft or unintentional information sharing, as we’ve illustrated in two previous blog posts.
So how does a company address these threats? In this final post of our three-part series examining the insider threat we offer some answers. But first, a caveat — every business and supply chain has different needs, so you’ll likely want to tailor your approach to best serve your most likely potential breaches.
Research suggests a three-pronged approach against malicious and accidental insider threats:
This is one the biggest tool that companies have in reducing threats. Like soldiers in the field, for many firms employees are the first line of defense when it comes to data security. Educating employees on potential threats, what they should consider to ensure their firms’ safety and how to alert their managers about any suspicious behavior helps keep a company safe.
For example, one study notes that deeply rooted psychological habits often unintentionally play into phishing scams – and the way to mitigate that lies with helping employees to realize where threats lie, and how not to trigger them.
Managers especially should be trained on how to spot threats. Research shows that 70 percent of malicious insider attacks occur within 60 days of those employees being fired. Making managers aware of that trend so they can monitor short-time employees can help lower the chances of that risk.
The best way to educate employees is to develop company guidelines on security, conduct annual workshops or seminars with employees and make security guidelines part of any on-boarding process for new employees.
Which bring us to…
Clearly Communicated Expectations
Set policies will help you bring your whole team together to mitigate threats. First, you’ll want to identify potential threats for your business. Widely circulated federal guidelines can help firms identify their main concerns. Carnegie Mellon University experts wrote the book on mitigating insider threats, with 19 steps to consider for mitigating threats.
Create guidelines that hit the holes in your business. Steps could include:
- Blocking social media access from office machines
- Banning outside hardware, such as USB devices
- Disallowing employees from taking home sensitive paperwork for after-hours work
…or other steps, depending on your business needs.
Establishing guidelines and policies will make them easier to disseminate to all employees, and ensure everyone is on the same page.
Reporting Suspicious Activity
Few people want to be known as office snitch. Give employees a place where they can anonymously report suspicious activities that could trigger a threat. It could be an anonymous tip line or voicemail box, a Web form or a printable form that employees can fill out and submit without signing.
In all cases, either written or via the voicemail message, make sure to include instructions so the reporter can give enough information to trace his or her concern.
You’ll also want to establish an internal process for tracking down and mitigating threats. Do you tap into an employee’s computer or adopt a more subtle approach? Do handle your own investigation or outsource it? These are questions it’s best to answer now, before a problem arises, so you can act quickly should a crisis occur.
These steps, from guidelines to training to setting up reporting options, can be time consuming. But keeping information about your business, your employees and your clients safe is worth it.