November 10, 2020
November 10, 2020
Companies today are facing greater insider (staff) risk problems than ever before, with almost half of the US labor force now working from home full-time and employees using many kinds of tools to do their jobs. In this new era of remote work and innovative online collaboration, applications, such as Microsoft Teams, have accelerated productivity, making internal data risk unavoidable. The key for organizations in this new era will be to embrace positive technological and workflow changes while also managing internal threat risk, instead of just blocking data movement and implementing security measures that impede business such as too frequent mandatory password changes or denying the installation of useful new applications on company computers.
While insider threats include everything from workplace violence to employee criminal behavior and more, insider risk in this context emanates more from how data exposure can negatively impact a company and its stakeholders. Insider risk exposure is currently a far lower priority for information technology (IT) departments than external threats, with only a small fraction of security budgets dedicated to protecting unstructured data, monitoring end-user activity, and keeping up with workforce culture changes, such as the use of both private and corporate accounts to complete tasks. Employees expose data in different and unavoidable ways, and the most effective way to manage this pervasive and oftentimes unintentional data exposure is to prioritize detection and response, given that there are varying degrees of risk and that the speed of successfully handling business remains vital in spite of remote work. In short, data protection will need to evolve from simply data loss prevention to data risk management.
At every company, employee views differ around what data is most significant and deserves the utmost protection. Staff may attribute different levels of sensitivity and value to data depending on which department they work for, their age, their personal background, and other factors. Also, many employees today feel entitled to personal ownership over their work, believing that ideas and projects belong to them as well as to the corporation. This can, in turn, affect how employees prioritize the security of data. Finally, it is possible that an employee may take data from one employer to another when switching jobs, leading to a host of issues for both the old and new companies involved.
Among the primary paths for data exposure in the remote work environment are cloud-collaboration and file-sharing tools—not to mention messaging platforms, social media platforms, and more—with both corporate and personal offerings. Tools such as Microsoft OneDrive, Google Drive, DropBox, personal email, and even Zoom may be sanctioned by IT departments, but that does not stop employees from working around company security policies and using personal accounts for the sake of convenience or expediency. Although many companies have strict policies regarding the usage of external devices like USB drives, such removable media continue to be a top solution for employees to move and share information.
The behavior of data users (employees) in this new era also impacts the risk of data exposure for companies. Remote workforces are now spending more time online each day, which increases data exposure, and are handling corporate data more during previously off-standard times, such as weekends, early mornings, or late at night. Separately, employee access may not yet have adjusted to the remote working environment, with staff potentially able to view or modify data they didn’t contribute to or create. Furthermore, decreased managerial oversight due to remote work could lead some employees to feel emboldened to store company data they believe is theirs in unsafe ways.
Although the new corporate culture is built around remote work and collaboration, a majority of data breaches involve company insiders rather than external actors, according to a Dentons database of global threats to law firms and lawyers. And the list of potential insider risks to data is long, as discussed above.
Corporate IT departments can diligently assess insider risk exposure and monitor networks for threats such as zip file creations and large-volume file activity. IT teams should prioritize investigations into high-risk activity such as uploads to Dropbox or file movement to USB thumb drives. Finally, a close look should be taken at abnormal activity by contractor employees, including activity at unusual work times (such as weekends and early and late hours), syncs to personal iCloud accounts, and sudden employee departures. Some of these risks can be managed by revoking or applying access rights to applications, data, systems, or networks, while others will have to be swiftly investigated and mitigated, as appropriate. It will be important in this new era to prioritize the monitoring of the most dangerous data exposure gaps in order not to overwhelm IT staff and successfully lessen growing insider risk.
Where does the board fit in? There are several actions that corporate boards can take to help their organizations protect against insider risk, including hiring independent security experts to assess potential threats and risk and explaining to stakeholders that insider risk is more than just a security challenge, as it threatens other areas of the company through lost intellectual property, leaked client data, and more. Companies would do well to cover insider threat issues in annual security trainings for all employees. Boards might even discuss with IT teams and their legal departments whether it would be beneficial to remind staff that the IT systems are to be used for work purposes only and to display subtle messages to staff that computer usage is actively monitored as a means to discourage misuse. Finally, directors themselves can ensure that they are up-to-date on security trainings and that they, too, follow the data security policies set for the employees and contractors of the companies they serve. If leadership around insider risk starts at the top, then employees will understand that protecting corporate data is a priority.
Karl V. Hopkins is a partner and the global chief security officer at Dentons.
NACD: Tools and resources to help guide you in unpredictable times.