Insider Threat Mitigation Guide

Introduction

An insider threat refers to an individual who has been entrusted with access to or knowledge of an organization’s operational components, personnel, physical assets, networks, systems or technology. These individuals may include current or former employees, vendors, suppliers, investors, business partners or other third-party collaborators. Due to their understanding of and unique privileges to such sensitive information and resources, insider threats have the potential to compromise organizations’ most valuable assets and leave them increasingly vulnerable to various cyberattacks (e.g., ransomware incidents and data breaches), regardless of whether these individuals do so intentionally or unintentionally.

Insider threats pose significant cybersecurity risks for businesses of all sizes and sectors, often resulting in serious consequences. Specifically, cyber incidents stemming from insider threats (also known as insider events) can lead to prolonged operational disruptions, widespread data exposure, severe reputational damage and large-scale financial losses.

According to research from the Ponemon Institute, more than 7,300 insider events took place throughout the last 12 months. Further, a recent survey conducted by IT platform Cybersecurity Insiders found that the average insider event costs over $755,000. What’s worse, these incidents are on the rise, and the Ponemon Institute revealed that insider events have skyrocketed by 40% over the past four years, with the average event taking nearly three months (86 days) to contain.

Considering these findings, organizations across industry lines must take insider threats seriously and bolster their cybersecurity policies and procedures. That’s where this resource can help. The following guide provides information on different types of insider threats and key motivations among these individuals, outlines best practices for assessing insider threat risks, offers tips for minimizing insider threat events and losses, and highlights legal and compliance considerations associated with handling such threats. This resource also contains an appendix featuring several case studies and a checklist to help businesses better understand insider threats and deploy effective mitigation techniques. By utilizing this guide, organizations can equip themselves with the information needed to combat insider threats and reduce potential losses if related incidents occur.

This guide is not intended to be exhaustive, nor should any discussion or opinions be construed as legal advice. Businesses should contact legal counsel or an insurance professional for appropriate advice. Reach out to Wells Insurance today for further risk management guidance and insurance solutions.

Types of Insider Threats

There are three main types of insider threats: Negligent employees, malicious insiders and third-party collaborators. Here’s a breakdown of these threats:

1. Negligent employees — This type of insider threat consists of uneducated or careless employees who unintentionally expose an organization’s information and assets to unauthorized parties. Negligent employees may lack the experience, awareness or attentiveness necessary to identify possible security exposures, making them more error prone or easily manipulated by cybercriminals’ tactics. These individuals represent the most prevalent type of insider threat. In fact, multinational technology corporation IBM confirmed that human error is a contributing factor in nearly all (95%) of recorded cyber incidents.

As a whole, the Ponemon Institute reported that negligent employees are the cause of more than half (55%) of all insider events.

Common insider threat scenarios involving negligent employees include the following:

• An employee is deceived by a phishing scam or other social engineering attack, prompting them to share their login credentials with a cybercriminal and give the perpetrator unauthorized access to the company’s IT infrastructure.
• A worker is new to their role and hasn’t been properly trained on how to use organizational software, resulting in them making several errors while operating this technology and compromising the sensitive data stored on it.
• An employee has a large task load and works long hours, causing them to rush through their assignments and make multiple mistakes, such as sending confidential business files to the wrong recipients or accidentally downloading malicious software (also called malware).

2. Malicious insiders — Unlike negligent employees, malicious insiders’ actions are intentional. That is, these individuals—usually current or former employees—knowingly abuse their knowledge of or access to an organization’s information and assets to participate in harmful activities. Malicious insiders are often motivated to engage in such activities for their own financial or professional gain or to incite “revenge” on the target company for its perceived wrongdoings. Some malicious insiders may even possess a false ideology that makes them want to carry out harmful actions for attention or causes them to believe that attacking an organization is necessary for the public good. According to the Ponemon Institute, one-quarter of insider events stem from malicious insiders. Some insider threat scenarios involving malicious insiders include the following:

• A disgruntled employee feels upset that their boss didn’t select them for a promotion and acts on this personal grievance by infecting company technology with malware or other harmful viruses.
• A worker leaves their position for a new role at a different company and steals intellectual property from their previous employer with the intention of benefiting their own career growth and diminishing the impacted organization’s competitive edge.
• An employee is struggling financially and agrees to send confidential business records to cybercriminals in exchange for a large payment.
  

3. Third-party collaborators — This type of insider threat pertains to individuals who are not formal members of an organization, but have still been provided with private details of or some security clearance to certain company data and resources, such as suppliers, vendors or other contractors. Although their access to organizational information and assets may be limited, it could still be leveraged to cause widespread disruption and damage, thus posing substantial cyber risks and leaving the door open for major losses. Insider events arising from third-party collaborators could be negligent (e.g., a supplier forgetting to install security patches on organizational technology and leaving external networks more susceptible to infiltration) or malicious (e.g., a vendor abusing their login credentials to steal company funds).

Assessing Insider Threat Risks

Before organizations can implement steps to mitigate insider threats, they must first conduct risk assessments. In particular, it’s imperative for a company to analyze and document its unique insider threat exposures and outline the potential ramifications that may result from insider incidents, ultimately making it easier to determine necessary risk management measures. After all, different industries and operations face varying exposures, largely based on their technological vulnerabilities and the types of information and assets they possess.

While businesses across all sectors face insider threats, certain industries are more likely to experience increasingly frequent and severe insider events. According to the Ponemon Institute, the following sectors have recorded the largest losses due to insider threats during the past 12 months:In light of these findings, organizations operating within such sectors should be especially aware of their insider threat exposures and carefully evaluate their heightened loss potential. Regardless of industry, all organizations should consider which categories of their data and resources could be deemed attractive to cybercriminals and, therefore, more susceptible to being targeted amid insider events.

Also known as critical assets, this generally includes any protected information or items that— if damaged, modified or otherwise diminished in value—would no longer be private or properly accessible to the affected organization and, consequently, severely impact the organization’s ability to uphold its essential operations, services and business functions.

Although critical assets differ between organizations, the Ponemon Institute identified the following data and resources as the most vulnerable to insider threats:

In addition to identifying critical assets, organizations should assess whether any aspects of their operations could carry digital vulnerabilities and provide avenues for exploitation, thus paving the way for insider threats. Key examples of these vulnerabilities include outdated systems; unpatched software, undivided networks; minimal layers of authentication or access controls; untrained, inexperienced or overworked employees; unencrypted data; a lack of secure backup locations for crucial files and records; and poor security awareness and related policies among third-party collaborators.

Like other cybersecurity risks, insider threats are constantly shifting and evolving. As a result, conducting risk assessments shouldn’t be a one-time occurrence. Rather, organizations should regularly reassess their insider threat exposures, making updates and adjustments as needed.

Mitigating Insider Threats

There are several measures that organizations can establish to help mitigate insider threats and keep related losses to a minimum. Here are some best practices for companies to consider.

Know the Signs

First and foremost, organizations should be aware of the key signs that may allude to the presence of an insider threat. Common indicators of insider threats include the following:

Background indicators — These indicators refer to experiences or events that occur prior to an individual being hired by an organization or otherwise gaining access to its information and assets. Background indicators usually can’t be easily observed by company leaders, HR professionals or co-workers. Rather, such indicators may be detected amid mandated pre-employment background checks or through in-depth professional screenings. Still, it’s worth noting that some people may still withhold this information even when they are required to disclose it, thus making it more difficult to identify these individuals as potential insider threats. Examples of background indicators include having a history of criminal behavior, short-term employment, mental health concerns or addiction issues (e.g., substance abuse, excessive spending or gambling); being involved with groups or individuals who oppose an organization’s core values; engaging in activities that could be considered conflicts of interest; conducting troubling business transactions; and joining untrustworthy social or professional networks.

Personal indicators — Such indicators consist of both predispositional attributes and personal stressors that may cause tension in an individual’s life or impact their sense of judgment and self-control, ultimately leading them to be more likely to participate (whether willingly or unwillingly) in insider events. Personal indicators may be detected before an individual joins an organization or arise throughout their employment or professional services. Examples of these indicators include psychiatric or medical conditions; aggressive, compulsive, narcissistic or violent behavior; criminal conduct, legal problems or workplace violations; family struggles (e.g., death or divorce); growing financial challenges; and negative professional developments (e.g., demotions, transfers, contract disputes, conflicts with management or coworkers, disagreements related to intellectual property rights, poor performance reviews, or termination). In some cases, personal indicators may even stem from positive career changes (e.g., promotions or unexpected opportunities), as these events can still cause additional stress. These indicators play one of the most substantial roles in identifying insider threats. According to recent research from Cybersecurity Insiders, the vast majority (88%) of security professionals confirmed it’s necessary to consider personal indicators when detecting high-risk insiders.

Behavioral indicators — These indicators refer to patterns of behavior that differ from someone’s typical interactions and activities within work settings, therefore creating cause for concern and increasing the risk of the individual being involved in insider events. Behavioral indicators can be clearly identified by establishing a baseline for an individual’s usual actions amid their employment or professional services and detecting when these actions suddenly shift. Examples of these indicators include no longer being willing to comply with company policies or security protocols; carelessly breaching organizational rules; acting erratic or impulsive; working irregular hours or extended shifts without authorization; using company equipment without permission or bringing personal devices into high-security locations; taking unannounced time off; being hostile to co-workers or starting unnecessary arguments; withdrawing from social situations; making inappropriate jokes or statements; communicating with unapproved contacts (e.g., business competitors); and openly expressing resentment toward work responsibilities, discussing switching roles or resigning from the organization.

Technical indicators — Similar to behavioral indicators, technical indicators consist of abnormal actions that an individual engages in across an organization’s systems, networks or technology. These indicators can also be easily detected by monitoring an individual’s usual technical habits and observing any unexplainable changes in these activities. Most organizations that watch for technical indicators do so through the utilization of various scanning tools and software. This technology can help record and send alerts regarding suspicious actions that take place on company devices and within core IT infrastructure. Examples of technical indicators include sending emails with large attachments or vast amounts of data; leveraging unauthorized devices; connecting to prohibited networks or restricted systems; engaging in dark web activities; launching malware, viruses or other harmful software; trying to bypass network security controls, deploy masking tools or escalate user privileges; attempting to modify or copy protected files; operating organizational technology outside of normal working hours; connecting to an account from various locations or opening several accounts for a single user; trying to erase network logs; and sharing private company information or otherwise acting irresponsible across professional platforms and social media.

Environmental indicators — Such indicators refer to organizational factors or workplace characteristics that may limit an individual’s ability to respond appropriately to company security issues or serve as the “final straw” in motivating a malicious insider to execute an attack and justify their poor choices. Environmental indicators are largely established based on a company’s policies, procedures and cultural practices. In other words, a toxic work environment or unsupportive organizational culture may push an individual toward becoming an insider threat. Examples of these indicators include a lack of employee awareness or understanding of cybersecurity risks; toxic leadership measures (e.g., inappropriate disciplinary actions, inconsistent enforcement of organizational protocols, inaction following reports of workplace issues or grievances, indifference to complaints of mistreatment, minimal employee appreciation efforts and little transparency); aggressive reactions to threat notifications; a perceived tolerance of overworking and poor company performance; elevated financial or contractual uncertainty; and limited documentation of risk management processes.

Foster a Strong Security Culture

By cultivating a positive company culture that values security and trust, organizations can promote adequate awareness of insider threats and ensure their employees and third-party collaborators stay vigilant in mitigating related exposures and losses. When individuals feel properly supported and respected by an organization, they are more likely to act in the company’s best interests, take accountability for understanding potential risks and come forward upon noticing suspicious activities.

Creating such a culture starts with the hiring process. This means that, when considering potential job candidates, companies should be sure to utilize adequate vetting protocols to help catch background indicators of insider threats and communicate to these individuals early on that security is a top organizational priority. Effective vetting protocols may include conducting interviews, performing character assessments or screenings, asking for multiple professional references and issuing background checks.

Another integral aspect of fostering a strong security culture centers around providing employees with regular education and training. Employees are widely considered an organization’s first line of defense against cyberattacks, which means the way they respond to insider threats can make all the difference in stopping incidents before they can progress into large-scale losses. As such, employee education and training should focus on the following key topics:

• Types of insider threats and common signs of these threats
• Methods for reporting insider threats and associated suspicious activities
• Safe internet browsing and email usage requirements (e.g., social engineering and phishing prevention techniques)
• Password and user authentication standards
• Cyber incident response measures and designated employee roles during insider threat scenarios
• Company cybersecurity policies (especially those related to insider threat mitigation, network and system safeguards, data and asset controls, and whistleblower protections)

Even with employee education and training initiatives in place, organizations may fail to create an effective security culture if they can’t convince their workforce or senior leaders to take these measures seriously.

These issues may stem from staff and company executives upholding the outdated mindset that the IT department is solely responsible for ensuring organizational security or a lack of understanding regarding the rising severity of cyber exposures. With these concerns in mind, here are some measures that organizations can utilize to maintain a thriving security culture and keep insider threats at bay:

• Engage organizational leaders. Senior executives are sometimes resistant to adopting good cyber hygiene. This must change for a company to create a successful security culture. Employees need to see management leading by example if they’re going to buy into such a culture. Organizations should encourage leaders to join the conversation and reinforce that cybersecurity is every employee’s responsibility. Additionally, senior executives are one of the biggest targets for cybercriminals. As a result, organizations should ensure they are doing their part in upholding security values by teaching these leaders how to identify and defend against targeted cyberattacks.
• Inspire ownership of cybersecurity. Organizations should clearly communicate what’s at stake to their employees and explain they need their workers’ help. It’s not enough to simply describe changes to security protocols. Instead, companies should ensure employees understand why these changes have been made and what they are trying to do to protect their operations. It’s imperative that employees understand that no security system is foolproof and, therefore, it’s up to them to minimize threats and avoid unnecessary risks.
• Create engaging educational programs. Cybersecurity training should not be presented as a one-off occurrence. If organizations want their employees to embrace security as part of their culture, it’s essential to provide engaging training initiatives based on real experiences. Organizations should consider leveraging discussion forums, online games, in-person training and mock attack scenarios as part of their holistic approach to cybersecurity education. Brief and frequent lessons will also be more digestible and remind employees that cyber awareness is part of their corporate life.
• Celebrate success. Organizations should consider making cybersecurity awareness part of performance reviews and reward systems. It is also beneficial for companies to acknowledge employee successes one-on-one by expressing appreciation or offering rewards for their commitment to organizational security goals.

Leverage Access Controls

As a rule of thumb, it’s best for organizations to only provide employees and third-party collaborators with access to the systems, networks, data, technology and other organizational resources that are absolutely necessary for performing their key job functions. This concept, commonly known as the principle of least privilege (POLP), can help businesses minimize the risk of an insider threat obtaining access to all company information and assets upon exploiting or otherwise compromising their individual account, therefore limiting available resources to leverage in an insider event.

There are several POLP-related policies and procedures that organizations can utilize to promote adequate access controls and reduce the likelihood of insider threats causing widespread damage across critical IT infrastructure, including the following:

• Role-based access controls (RBAC) — With RBAC, all employees and third-party collaborators have well-defined roles and assignments, making it evident which organizational resources they need access to fulfill their responsibilities and complete essential tasks. From there, these individuals should receive clear guidelines regarding the information and assets they are permitted to use in the course of their employment or professional services, with user restrictions implemented to prevent unauthorized access to additional sensitive resources. Each individual’s privileges and limitations should be properly documented and updated as needed to reflect changes in resource needs. For instance, individuals’ access controls may require alteration following shifts in their workloads or job responsibilities (e.g., upon being assigned to a new project or getting a promotion). Additionally, user privileges should be promptly revoked from dormant, orphaned and inactive accounts, such as those belonging to former employees or past suppliers.
• Privilege management — Even those entrusted with access to company information and assets should be monitored to ensure they are successfully safeguarding their accounts and are not abusing their privileges. Specifically, organizations should routinely review individuals’ network activities and system operations to confirm they are working within the confines of their assigned responsibilities and not demonstrating irresponsible or suspicious behaviors. Further, individuals should be held accountable for keeping their accounts safe and secure with sufficient password protocols and enabling multifactor authentication (MFA) capabilities on all workplace technology. Strong passwords usually span between eight and 16 characters long, have at least two special characters, use unique character combinations or complex phrases, don’t contain personal information (e.g., family or pet names or important dates), are never repeated across different platforms and get changed every 30-45 days. MFA, on the other hand, is a layered approach to securing organizational resources where a system requires a user to present a combination of two or more credentials to verify their identity for login. Through MFA, individuals must confirm their identities by providing extra information (e.g., a phone number or unique security code) 13 in addition to their passwords when attempting to access corporate networks and servers. Altogether, individuals who repeatedly use company technology to engage in inappropriate behaviors or fail to uphold account security measures should have their user privileges limited or revoked.
• Network safeguards — When organizations’ networks lack sufficient access restrictions and are closely interconnected, this can make it easier for insider threats to expose such networks and cause more widespread operational disruptions and damage amid insider events. That’s where network segmentation and segregation come into play. Network segmentation refers to dividing larger networks into smaller segments (also called subnetworks) through the use of switches and routers, therefore permitting organizations to better monitor and control the flow of traffic between these segments. Such segmentation may also boost network performance and help organizations localize technical issues and security threats. Network segregation entails isolating crucial networks (i.e., those containing sensitive data and resources) from external networks, such as the internet. Such segregation allows organizations to leverage additional security protocols and access restrictions within their most critical networks, making it more difficult for insider threats to penetrate these networks laterally.

Utilize Threat Monitoring and Detection Solutions

With adequate threat monitoring and detection solutions in place, organizations can better identify unusual and potentially harmful activities throughout their networks, systems and technology, thus allowing them to respond as quickly as possible amid insider events and limit associated losses. Here are some solutions for companies to consider:

• Employee observations — If organizations properly educate their employees on types of insider threats and key signs of such threats—namely, personal and behavioral indicators—these workers’ observations can help play a significant role in threat monitoring and detection. For example, an employee may take note of a co-worker suddenly withdrawing from social interactions, voicing dissatisfaction with their job tasks and working extended hours, all of which pose insider threat risks. The employee can then share these observations with a supervisor, allowing for further investigation and prompt remediation of the possible insider threat. It’s best for organizations to establish reporting policies that clearly outline methods and avenues for sharing observations of potential insider threats to ensure timely detection. Furthermore, organizations should communicate the importance of staying vigilant against insider threats and foster an open dialogue surrounding cybersecurity exposures, ultimately empowering employees to come forward when issues arise.
• User and entity behavior analytics (UEBA) — Through UEBA, companies leverage machine learning algorithms to determine patterns and identify abnormalities in user interactions and behaviors across their IT infrastructures. In other words, these algorithms observe network activities and system operations to look for trends and establish a sense of what is considered “business as usual.” In doing so, such algorithms may also observe unexpected changes in user behaviors and catch possible insider threats amid the earliest stages, giving organizations the ability to respond accordingly. For instance, UEBA may detect sudden changes in login patterns and unusually large data downloads or email attachments on a company’s network, permitting the organization to trace these actions to specific users and investigate their suspicious actions before an insider event occurs. In general, it’s useful for organizations to equip any company technology that contains sensitive data or assets with UEBA.
• Endpoint detection and response (EDR) solutions — EDR solutions continuously monitor security-related threat information across their systems and devices in order to better detect and respond to insider events, particularly those involving malware. They provide visibility into security incidents occurring on various endpoints—such as smartphones, desktop computers, laptops, servers, tablets and any other devices that communicate back and forth with the networks in which they are connected—to help prevent digital damage and minimize future attacks. Specifically, EDR solutions offer advanced threat detection, investigation and response capabilities—including incident data search and investigation triage, suspicious activity validation, threat hunting, and malicious activity detection and containment—by constantly analyzing events from endpoints to identify suspicious behaviors. Further, these solutions provide continuous and comprehensive visibility into what is happening in real time by recording activities and events taking place on all endpoints and workloads. Upon receiving alerts regarding possible insider threats, organizations and their IT departments can then uncover, investigate and remediate related issues.
• Email authentication technology — This technology monitors incoming emails and determines the validity of these messages based on specific sender verification standards that businesses have in place. There are several different verification standards that organizations can choose from, but the most common is sender policy framework (SPF), which focuses on verifying senders’ IP addresses and domains. Upon verifying emails, email authentication technology permits them to pass through organizations’ IT infrastructures and into employees’ inboxes. When emails can’t be authenticated, they will either appear as flagged in employees’ inboxes or get blocked from reaching inboxes altogether. With SPF, unauthenticated emails may even be filtered directly into employees’ spam folders. Email authentication technology can be particularly useful in the case of negligent employees, keeping dangerous emails (e.g., social engineering and phishing scams) out of these individuals’ inboxes and reducing the risk of them causing insider events.
• Patch management plans — Patch management refers to the process of acquiring and applying software updates, called patches, at various endpoints. Patches modify operating systems and software (e.g., antivirus solutions, malware protection programs and firewalls) to enhance security, fix bugs and improve performance. They are created by vendors and address key vulnerabilities that cybercriminals may target, including those used during insider events. The patch management process can be carried out by organizations’ IT departments, automated tools or a combination of both. Steps in the patch management process include identifying IT assets and their locations, assessing critical systems and vulnerabilities, testing and applying patches, tracking progress and maintaining records of such progress. As it pertains to limiting their insider threat exposures, businesses should be sure to establish patch management plans that include frameworks for prioritizing, testing and deploying software updates.

Safeguard Sensitive Data

Because confidential company information is commonly targeted during insider events, organizations need to ensure sufficient data safeguards. By keeping sensitive data secure, businesses can make it increasingly difficult for cybercriminals to access this information and use it against them amid insider events. When adopting data safeguards, businesses should first review their organizational information and divide it into distinct categories. Such categories should be based on overall sensitivity and level of importance. For example, an organization might classify corporate financial data and employees’ or customers’ PII as their most sensitive information. In contrast, data already accessible to the general public (i.e., those stored within public archives) would be deemed significantly less valuable.

Upon categorizing their data, organizations can implement varying types of safeguards, with the most sensitive information receiving the greatest protective measures. Potential data safeguards for companies to consider include:

• Data backups — Routinely backing up critical data in separate locations can help organizations maintain access to this information even when insider threats attempt to steal, damage or compromise the original copies. To start, companies should determine safe locations to store their critical data, whether it’s within cloud-based applications, on-site hard drives or external data centers. Then, organizations should establish concrete schedules for backing up this information and outline data recovery procedures to follow to ensure swift restoration amid possible insider events.
• Data encryption — Encryption refers to the process of converting files, records or other information into a scrambled or encoded format, thus rendering the data unusable. The only way to unscramble or decode encrypted data and return it to its original format is by entering a highly confidential security code, also known as an encryption key. Such a key is only provided to a small number of trusted employees. By leveraging data encryption, organizations can limit the risk of insider threats exploiting critical company information, even if these individuals find a way to gain access to the locations in which such data is stored. It’s paramount for organizations to keep their most sensitive data encrypted at all times—both at rest and in transit—as insider threats can strike at any time.

Have a Plan

If an insider event is suspected or detected, businesses need to have dedicated cyber incident response plans in place that outline steps to ensure timely remediation and keep damages to a minimum. These response plans should address a variety of possible attack scenarios and be communicated to all applicable parties. Both the Cybersecurity & Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) have resources available to help businesses create such plans. At a glance, a solid response plan should outline the following:

• Who is part of the cyber incident response team (e.g., company executives, IT specialists, legal experts, media professionals and HR leaders)
• What roles and responsibilities each member of the response team must uphold during an incident
• What the company’s key functions are, and how these operations will continue throughout an incident
• How critical workplace decisions will be made during an incident
• When and how stakeholders and the public (if necessary) should be informed of an incident
• Which federal, state and local regulations the company must follow when responding to an incident (e.g., reporting protocols)
• When and how the company should seek assistance from additional parties to help recover from an incident (e.g., law enforcement and insurance professionals)
• How an incident will be investigated, and what forensic activities will be leveraged to identify the cause and prevent future incidents

It’s not enough for businesses to simply create cyber incident response plans. Rather, they should routinely assess these plans for ongoing security gaps and make changes as needed to ensure maximum protection against insider threats.

Common assessment techniques include the following:

• Penetration testing — Such testing consists of an IT professional mimicking the actions of a cybercriminal to determine whether an organization’s workplace technology possesses any vulnerabilities and is able to withstand attack efforts. This testing usually targets a specific type of workplace technology and may leverage various attack vectors.
• Tabletop exercises — A tabletop exercise is an activity that allows an organization to simulate a realistic cyberattack scenario for the purpose of testing the efficiency of its incident response plan. In other words, this exercise serves as a cyberattack drill, giving participants (typically members of the incident response team) the opportunity to practice responding to an attack.

Prioritize Continuous Improvement

Since insider threats can shift and evolve, organizations’ associated mitigation measures should follow suit. That is, businesses should be sure to regularly assess their insider threat prevention and response policies and procedures and make improvements whenever necessary, such as when risks change (e.g., upon hiring new employees, entering new contracts with third-party collaborators, making operational adjustments, storing additional data, acquiring more company assets or implementing new workplace technology) or after insider events occur.

As it pertains to making updates to company policies and procedures following insider events, it’s important for businesses to conduct post-incident analyses. In particular, these analyses should focus on where events originated; how they were detected (as well as how quickly such detection occurred); how effective incident response plans were in handling these events; and the different technical, operational and financial impacts of such events. Depending on an event’s origin and the overall damages, it may also be worthwhile to evaluate whether employee training (or lack thereof), software vulnerabilities or data encryption and backup failures played a role in the incident.

Based on the results of these post-incident analyses, organizations should point out their cybersecurity weaknesses and make an effort to fill possible gaps with bolstered defenses. Doing so is critical to help prevent future insider events and minimize associated damages. Necessary adjustments may include modifying cyber incident response plans, enhancing employee training, updating or introducing new software, improving data backup and encryption protocols, and implementing stricter security policies.

Legal and Compliance Considerations

Although having effective insider threat mitigation measures in place is vital for any organization, there are several legal and compliance considerations to keep in mind. Specifically, companies should ensure their mitigation strategies meet the data collection, processing and breach response requirements outlined within all applicable state, federal and international privacy laws. Key examples of such legislation include the following:

• The Fair Credit Reporting Act (FCRA)—Under the FCRA, organizations must meet certain standards when ordering third parties to perform background checks or similar screening reports on job applicants or current employees. Considering this federal legislation, companies should collaborate with their HR departments to ensure that the tactics they leverage amid their hiring processes to identify possible insider threats (e.g., searching for background or personal indicators through screening reports) comply with FCRA requirements. This means that organizations must provide individuals with a written, standalone disclosure (i.e., separate from other job-related documentation) that is concise, confirms all third-party screening reports will be conducted solely for employment purposes and outlines the particular types of information being reviewed (e.g., criminal or work history). From there, companies must obtain these individuals’ written consent before moving forward with any background checks. In addition to this federal law, organizations should be aware that some local and state regulations provide further employment screening requirements.
• The Health Insurance Portability and Accountability Act (HIPAA)—This federal law establishes standards for organizations regarding individuals’ protected health information (PHI), including their names, contact details, Social Security numbers and medical records. According to guidance issued by the Department of Health and Human Services’ Office for Civil Rights and the Federal Trade Commission, exposing individuals’ PHI to third parties without their knowledge or permission is a HIPAA violation. With this in mind, it’s imperative for companies that collect customers’ or employees’ PHI to ensure their insider threat mitigation policies—namely, their data safeguards—include storing this information in secure locations, out of the hands of third-party collaborators. For example, keeping this information on a company server or application that suppliers have access to could leave it exposed and, subsequently, prompt a HIPAA violation. HIPAA compliance is particularly important for businesses that are more likely to collect PHI, such as health care organizations.
• The California Consumer Privacy Act (CCPA)—This legislation applies to all for-profit organizations that have gross annual revenues exceeding $25 million and collect, purchase, process or sell PII from more than 100,000 Californian residents—including that of customers and employees—regardless of where these companies’ operations are located. The CCPA requires organizations to disclose their data collection and processing practices with affected individuals, allow individuals to opt out of having their PII sold to or shared with additional parties, and comply with individuals’ requests to access their data or have it deleted. From an insider threat mitigation perspective, the implications of this legislation are twofold. First, organizations subject to the CCPA should ensure that any data collection, processing, storage and disposal protocols they have in place for customers’ PII are compliant with the law’s requirements. Second, these companies should clearly communicate all insider threat monitoring and detection measures (e.g., UEBA and EDR solutions) to their employees, thus maintaining a culture of transparency while also finding an appropriate balance between security and staff privacy. Without such communication, employees may mistakenly assume their PII and other sensitive data are being unsafely or even illegally collected, processed and stored via UEBA and EDR solutions. For instance, an employee may be concerned that, in the process of monitoring their network interactions, such solutions collected confidential information that the worker entered into an online form. Nevertheless, organizations and their HR departments can minimize these concerns by educating employees on what types of activities and data UEBA and EDR solutions are monitoring and why; making it clear that company networks, systems, technology and accounts are the items being monitored as opposed to individuals themselves; and emphasizing that none of the information gathered can be used against staff or have adverse impacts on their employment unless it provides evidence of a breach in company rules or the law. These points should be communicated in multiple formats and made easily digestible. Further, organizations should designate specific individuals as point people for employees to consult with any questions regarding insider threat monitoring and detection measures and CCPA compliance.
• The General Data Protection Regulation (GDPR)—This international legislation applies to businesses that offer goods and services to or collect, purchase, process and sell sensitive data from individuals living in the European Union, regardless of these companies’ physical locations. The GDPR carries similar requirements to the CCPA, with the primary difference being that individuals must explicitly opt into having their private information sold to or shared with additional parties rather than opt out. As a result, organizations subject to the GDPR should follow relatively the same protocols as those subject to the CCPA, with the exception of allowing customers and employees to opt into having their data disclosed to other parties prior to selling or sharing this information. Additionally, the GDPR requires these companies to follow certain steps in response to data breaches, including those stemming from insider threats. These steps include notifying the proper authorities within 72 hours of discovering a breach, carefully investigating the event and taking proper disciplinary action against any employee(s) found responsible for deliberately causing the incident. That being said, such requirements should be reflected within organizations’ cyber incident response plans.

Altogether, companies can help ensure their insider threat mitigation measures remain compliant with applicable legislation by routinely reviewing these five data protection principles:

1. Are all data monitoring protocols fair, lawful and transparent?
2. Is all personal data collected for a specific purpose?
3. Is sensitive data kept properly protected and secured at all times?
4. Are reasonable steps taken to correct or delete any inaccurate data?
5. Is data safely disposed of when it’s no longer needed or necessary?

Moreover, organizations should remember that legal and compliance requirements may differ between industries and jurisdictions. As such, it’s best for companies to consult trusted legal counsel to determine their particular compliance needs.

Conclusion

Insider threats have become a pressing concern for all organizations, regardless of size or industry. With these incidents on the rise, businesses simply can’t afford to ignore their insider threat exposures. Nonetheless, by implementing effective mitigation measures, businesses can not only limit their likelihood of experiencing insider events but also reduce possible losses when incidents arise.

Above all, organizations should take note that they don’t have to navigate and address their insider threat exposures alone. Instead, they can seek assistance and supplement their existing resources with guidance from a wide range of trusted external parties, including insurance professionals, legal counsel, cybersecurity firms, law enforcement and government agencies (e.g., CISA and NIST).

Further, it’s crucial for organizations to purchase adequate cyber insurance to secure ample financial protection against potential losses that may arise from insider threats. Businesses should consult trusted insurance professionals to discuss their specific coverage needs. For more information, contact Wells Insurance today.

This Risk Insights is not intended to be exhaustive nor should any discussion or opinions be construed as legal advice. Readers should contact legal counsel or an insurance professional for appropriate advice. © 2023 Zywave, Inc. All rights reserved. Used with permission.