Three Areas of Focus for Your Insider Threat Program During the COVID-19 Crisis

by | May 18, 2020 | Blog

Security teams are settling in to the “new normal” of remote work as the COVID-19 crisis nears its third month here in the U.S. As many teams have discovered, among the myriad of logistical issues of a remote workforce is the increased risk insiders can cause cybersecurity incidents, even if mostly unintentionally. For many companies, the combination of required changes to network access policies and the human element of uncertainty around layoffs, furloughs, and salary reductions has created a need to quickly re-think the priority placed on insiders.

Despite this reality, however, Michael Rohrs of Control Risks Group urges companies to make more with their existing people and technology, rather than trying to “boil the ocean” at a time when most security teams are already overworked dealing with the crisis.

Here are three priorities to focus on to manage insider risk during the crisis:

Focus on High-Risk Scenarios:

Whether you have a mature insider threat program or no program at all, it is important to focus efforts at a time of confusion on what matters most. Understand and define which users have access to your critical assets. For some companies, this might be an engineering team working on cutting edge intellectual property. For others, it might be the accounts payable team that is trying to pay vendors with a new remote-work vetting process in place. Once you know what matters most to you, you can accept that other risks are simply second priority to ensure the existential ones don’t get ignored.

Don’t Forget the Human Element:

Especially in a time of crisis, it is important to remember insider risk is derived from humans acting on emotions and the stresses they face. The junior employee who never got all the way through security onboarding training and is now juggling new workflows, a new work environment, and family responsibilities all at the exact same time is probably not out to harm the company, but are they remembering to follow proper security protocols?

Rohrs suggests establishing, or reinforcing, an anonymous reporting channel for employees to report concerning behavior or security lapses. The junior employee’s colleagues may be better positioned than your tech stack to alert your security team to a major mis-step like saving sensitive company files to a personal laptop to expedite workflow, so take advantage of this resource.

Rely on History:

Although the work environment has changed, ultimately what matters most to your company and the behaviors that lead to insider-derived loss are likely similar. While evaluating the most important risks to focus on, draw on the lessons of previous insider issues.

Has your company always had a problem with intellectual property walking out the door when employees depart? If so, focusing on monitoring employees that have been notified of pending furloughs or layoffs may be a top priority that leads to quick loss prevention success.

In sum, everyone is already working harder, so companies are unlikely to be able to simply dedicate more time and internal resources to the increased insider threat problem. Working smartly to make the most of what you’ve got, and closing visibility gaps over time with outside help if needed, should enable resilience throughout the crisis.