The conference I was supposed to speak at next week was just cancelled, as many are and will be, due to coronavirus concerns. The topic was “Insider Threats and How to Mitigate Them.” One of the points I was going to make was that insider threats, both malicious and unintentional, are an ongoing and serious problem for companies. On top of that, now that many companies are “going remote” in response to coronavirus concerns, the risks of insider threats will only mount.
What is an insider threat? There are basically two kinds: 1) a malicious act when an employee, vendor or other individual who has access to company information steals personal information, health information or proprietary information; and 2) an unintentional act, such as a misdirected email, falling for a phishing scheme or wire fraud scheme, sending company data to a personal email account, or losing a USB drive or laptop.
How often do insider threats happen? According to a recent survey, 90 percent of respondents feel they are vulnerable to insider threats, 53 percent have confirmed insider attacks against their organization, and 86 percent already have, or are building, an insider threat program. Additional statistics to consider include the fact that insider threats are caused 56 percent of the time by regular employees, 55 percent by privileged IT users or administrators, and 42 percent by contractors, temporary workers or service providers.
These statistics don’t fully recognize the new reality of remote workers due to coronavirus. Many companies are implementing contingent operations plans, which include allowing employees who do not usually have access to company systems remotely or through a virtual private network, to now have access. This means they will be using their home internet connection, potentially their home computer and printer, and using remote connections. The risks associated with remote connectivity in normal times will be magnified in the new reality, without the benefit of completing a full analysis of the risks and security measures to be put in place, including robust employee education.
At the very least, these new remote workers need to understand the risk they pose to the organization and have a clear understanding of the importance of following company policies and procedures around remote access. Thoroughly training employees before they are given remote access is critical to risk reduction. Implementing increased monitoring on email and document access and disclosure is another thing to consider when allowing additional employees remote access. Control of the systems with more remote workers will be an added risk for information technology teams in companies, and mitigating this risk during the roll-out of a new remote workforce is worth the time and effort.