In data privacy and security jargon, an insider threat usually includes:
- an employee who creates a security risk due to a lack of awareness or carelessness, but doesn’t mean to do anything wrong (clicks on a phishing email and introduces malware or ransomware into the system)
- an employee who creates a security risk for his or her own purposes (sends a customer list to his or her personal account) or
- an employee who has malicious intent and is stealing information to sell it or is working for another malicious individual.
Companies are responding to each of these threats and are implementing risk management techniques to address the threats.
There are some simple strategies to start to address these threats.
For the unengaged or careless employee, companies are implementing robust employee awareness campaigns to engage employees and educate them on data security and arm them with ways to address the threats of phishing, wire fraud, spoofing, and basic cyber hygiene involving removable media and complex passwords.
For the employees who are sending company data to their personal email account, companies are implementing data security guidelines that prohibit employees from sending any company data to personal email accounts, advising employees of the requirement, auditing employees’ use of company email, actively monitoring employees’ use of email, using alert tools, and targeted look-backs of emails sent by those employees who depart suddenly or are terminated. When you tell your employees that this is what you are doing, it is effective in addressing this risk.
For the malicious employee, strategies include obtaining background checks, using monitoring tools and look-backs, using security tools that alert IT of suspicious behavior, and using predictive modeling technology. But honestly, a malicious employee, or one who is an actual criminal and becomes employed with the company to steal from it is obviously the hardest risk to address.