Views on news
HP’s Out of Sight and Out of Mind report found that 45% of those surveyed had bought IT equipment to support home working over the past year with 68% of them saying that security wasn’t as big a consideration as other factors such as price or functionality when purchasing. About half reported that the laptops and printers they bought weren’t checked or installed by the company’s IT.
With productivity overriding all other aspects and shadow IT having become an accepted, albeit grey area of procurement, employees often grab unsanctioned and unapproved software and thus open up the organisation for attacks. But as we’re coming to grips with the pandemic and people are increasingly going back to the office, this tendency to circumvent procurement procedures alongside with some other bad habits employees developed while working from home (e.g., leaving their laptops open) need to be put an end to.
New approaches to insider risk
There are several new approaches to managing insider risk. There is what Brian referred to in the Talk as a “concierge approach”, where you identify your top 10-20 riskiest executives and provide additional security controls for them explaining why these are necessary. For example, the system will allow them to use their personal email, but they won’t be able to up- and download attachments to and from them.
It’s handy to distinguish between various types of insider threats (negligence, compromised and malicious users) and address the risks they pose accordingly. There are some typical scenarios that can trigger deliberately inflicted threat ranging from unfair treatment by a manager to workplace romances to money offered for the breach. Organisations may choose not to use the term Zero Trust and monitoring in their policy as this may undermine trust between management and employees.
A better way of doing it can be empowering your staff to be able to look after their own data. But management should never forget that IT controls are just one aspect of tackling insider threats, and people and processes are equally important.
The panel’s advice
Establish what your company’s approach is to insider threat, whether you go down the surveillance path (not viable legally in the EU), where you monitor your employees covertly, or you choose to notify them of your activity.
Before launching a monitoring scheme, define the specific insider risk-related concerns you have, as well as why you are setting up a program. Involve all business unit leads in creating a framework, who will have more understanding of the motivational factors of employees working in their departments. We tend to focus on just one risk aspect of the approaching “great resignation” (employees leaving the organisation in droves), but you shouldn’t forget about another threat: during Covid, businesses have swapped a lot of their suppliers and third parties.
You need to be aware of what sort of data your new partners infiltrate into your network and how they are addressing risks pertinent to your operation. https://www.proofpoint.com/uk/resources/e-books/top-10-biggest-and-boldest-insider-threats