While the reported $40 billion of insider threat losses for the US economy seem scary, many companies consider insider threats to be more like a ‘black swan’ event – highly visible, but extremely rare, abstract, and too hard-to-predict in order for it to constitute a real threat. But it is the gray areas companies should be wary of.
In previous posts of this series, we described how companies are affected by malicious insider incidents, and what impact and cost these incidents might cause. Most think of highly publicized whistleblower cases such as Edward Snowden and Bradley Manning. Overall, these seem like natural disasters (e.g., earth quakes), you can take some precautions, but then you just hope it will not happen to you … and if it does, it will be disastrous (and you just have to accept it).
In addition, I often hear arguments from small and medium sized companies that they do not feel exposed to the insider threat because:
- The insider threat is considered to be more a problem for government agencies, and most often their top-secret activities.
- Their company assets that could be stolen are of limited size and value, so a large-scale theft and leak is less likely to happen. And if it does, it will not have that big of an impact.
- They know their employees well and have basic security measures in place to further reduce any remaining risks.
These arguments are backed by recent numbers of the average financial impact of insider threat cases for US companies. Only 3 percent of companies report the cost for an insider threat case to be over $1 million or more, and 70 percent of financial losses are estimated to be less than $50,000 per case. If the majority of cases are rather inexpensive to most companies, and the huge ones are rare and unpredictable, should we really care and act upon the insider threat inside companies?
Beware of the gray area
Obviously, the average impact of insider threat cases does not tell anything about their overall frequency. Even if an average case is less than $50,000 in cost, when these low-profile cases happen on a daily basis, the cumulative loss will be very significant for most companies. And this says nothing for reputation lost, which is difficult to measure. As we have seen in previous posts of this series, the threat landscape broadens and diversifies with new BYOD policies, reduced and changing employee loyalty to employers, and higher employee churn rates create a large gray area of threats that include unintentional misbehaviors, violation of policies, and minor thefts.
Each of these “gray area” cases might not be that malicious or significant, but they become very costly in aggregate. There are more and more of these “small” cases that pass under the radar and even become a commonly accepted behavior pattern.
We have seen that more than 60 percent of job quitters steal confidential company data, but more importantly, a recent Symantec study reveals that 42 percent of employees worldwide think that employees should have ownership in their work and inventions. This initiates a feeling by soon to be former employees that when they leave they should be free to take their “own” work with them, without remorse or investigation.
Even worse, 59 percent of employees in the United States tech industry believe that a software developer should have the right to re-use the source code that he or she created for another company when changing jobs. Using cloud services and BYOD policies in today’s work environments, it has become very easy for employees to implement this idea of ownership.
So how should company behavior change towards the insider threat?
Besides a strict reinforcement of non-disclosure agreements regarding company intellectual property (IP), employees need to be educated that taking confidential information with them when changing jobs is wrong. Employee awareness and training is thus critical to change employee attitude and ethos.
More importantly, the company leadership must show a clear commitment to the implementation of this ethos. One cannot remind employees of non-disclosures of company IP, and then silently or even willingly accept new employees bringing in valuable IP and other information from their prior employers.
Another aspect is a better implementation of monitoring technology to track company IP and assets in the company network. Where do company IP and assets reside? Are there data protection policies in place? If theft were to happen, is there enough of an audit trail available for forensic analysis and ultimately litigation? A consequent and efficient investigation of any type of IP theft is essential for protection and deterrence of future threat cases.
Finally, to stay ahead of the rising curve of “gray area” insider threat incidents, one needs to go beyond the simple monitoring for forensics and litigation and anticipate the actual threat itself. One way is to actively detect behavior indicators that might lead to such threats.
This not only includes watching for the actual patterns of an ongoing theft, such as accesses, downloads and uploads of company IP, but also tracking indicators for employee satisfaction and overall risks for attrition and thus the associated theft of IP. The prediction of attrition is challenging, but research has shown that it is possible and companies like HP are implementing first programs in that direction.