Most of our clients believe the greatest threats to their organizations come from outside sources, but the fact is, most disruptions are caused by internal factors. Fortunately, several strategies and techniques are available to protect your business from homegrown risks.
Related on MHA Consulting: The Risk Management Process: Manage Uncertainty, Then Repeat
Beyond the Big Bad Wolf
The stereotypical business continuity threat resembles the big bad wolf: a large predator that attacks from the outside, whether in the form of a cyberattack, a hurricane, or something equally exotic. However, experience shows that most disruptions originate in the actions (or inaction) of people inside the organization.
For this reason, it is critical that efforts to assess and mediate threats look at and address internal risks. The good news is, internal threats are much more within the organization’s control, so managing down these dangers can bring easy wins.
What is an insider threat?
An insider threat is a security risk that originates from within the targeted organization. This could be anyone from current or former employees, contractors, or business associates who have inside information concerning the organization's security practices, data, and computer systems. The threat they pose can be deliberate or accidental and can lead to unauthorized access, misuse, destruction, or compromise of the organization’s assets, data, and capabilities.
Intentional and Unintentional Insider Threats
In looking at the internal threats to organizations, it’s worth bearing in mind that these can be divided into two types: intentional and unintentional. Intentional threats, where people deliberately set out to harm the company, can be motivated by money, blackmail, ideology, or resentment, among other factors. These scenarios may sound like the stuff of Hollywood movies, but they do occur and are worth guarding against.
Fortunately, the vast majority of employees want to do the right thing. In addition, the strategies recommended to guard against accidental threats are also effective in protecting against malicious ones.
Unintentional threats come in all shapes and sizes. They include (among many others) employees who unwittingly click on links admitting malware, employees who get tricked into revealing their login information, staff or executives whose misconduct brings on reputational damage, lax physical security practices (such as when employees badge in people who lack valid IDs), and deficient IT change management (the cause of last month’s massive CrowdStrike outage.)
Strategies to Counter Insider Threats
Protecting the organization against insider threats starts with assessing where individuals have the potential to cause significant damage to the organization, whether intentionally or inadvertently. Areas to look at include high-impact job roles, disgruntled employees, individuals with access to sensitive or critical information, those in positions where human error could lead to significant disruptions, and employees undergoing significant personal or professional stress.
In addition, consider whether outside contractors have sensitive access and if so what controls and monitoring apply and whether any staff members are the sole possessors of key knowledge or skills, creating a potential single point of failure.
The next step is to implement the policies, procedures, and training needed to mediate the identified risks. Effective steps can include the following:
- Segregation of duties. By dividing the phases of a sensitive task among multiple employees, the organization can limit the damage that can be caused by one person’s mistake or malfeasance.
- IT change management. Rigorous, strictly enforced IT change management policies can go a long way toward preventing technology errors.
- Social media policy. Companies should be proactive in devising and internally publicizing policies on employees’ use of social media.
- Internet hygiene. To reduce their vulnerability to phishing and related attacks, organizations need to mount vigorous employee education campaigns and enforce consequences for repeat promiscuous clicking.
These are a few of the strategies organizations can use to reduce their vulnerability to internal threats, whether intentional or accidental. Whatever techniques are employed, a key to success is a commitment to ongoing review and continuous improvement. The measures that were sufficient three years ago might be inadequate today.
Assess and Remediate to Achieve Resilience
In today’s environment, external threats get most of the attention but internal ones cause most of the damage. Whether intentional or inadvertent, insider threats can be effectively addressed through a process of assessment and remediation.
By implementing strategies such as segregation of duties, rigorous change management, and pro-active internet hygiene, companies can go a long way toward reducing their
vulnerability to internal threats. A commitment to ongoing review and improvement can further reduce their exposure and heighten their resilience.
Further Reading
The Risk Management Process: Manage Uncertainty, Then Repeat
Single Points of Failure: Protecting Yourself from Hanging by a Thread
