Blog

Insider Threats Continued – Your Own Employees Are Your Weakest Link

By Antonia Dumas, Associate at XPAN Law Group LLC

In a previous blog post, we discussed  insider threats with a focus on a non-obvious threat, your third-party relationships, describing how an insider threat can be defined and the types of actors that can be a threat to the protection and privacy of your systems and your data. When discussing key threats to the privacy and security of your business, your own employees are truly your weakest link and largest insider threat. Therefore, changing the attitudes of your employees regarding security and privacy is key to protecting your business.

Many businesses are becoming more aware of privacy and security concerns, including insider threats. In 2019, 68 percent of organizations reported that they felt moderately to extremely vulnerable to insider threats (Bitzglass 2019 insider threat report). However, in the same report, only 50 percent of organizations responded that they provided user training about insider threats. However, in practice, even when organizations provide some security training, it is often insufficient in terms of addressing security policies and procedures and does not fully address privacy issues.

RECAP – What Are Insider Threats? (from previous post)

As a reminder, insider threats usually know your network/systems or obtain credentials to your network/systems. Focusing on your weakest link, your own employees, these actors may be malicious (intentional) (e.g., a disgruntled employee) or simply unintentional/accidental actors (i.e., a careless worker who ignores or is unaware of security/privacy).

When I refer here to employees, I am referring to ALL employees from independent contractors to the C-Suite.  This includes new hires, existing employees, management and administration, all the way up to the C-Suite/Board of Directors. Due to the nature of an independent contractor relationship, it is reasonable that a business may face limitations in imposing certain privacy and security policies and procedures. However, it is not reasonable to voluntarily fail to incorporate independent contractors in your privacy and security posture when you should be including them to the extent possible. Like third-party relationships, as a business you may (and should) impose privacy and security requirements in connection with the contracted services even though you may not be able to impose the same extent of requirements as you would a direct employee.

However, apart from independent contractors, all other employees should not only be aware of your business’ privacy and security posture, policies and procedures but all employees should all be trained and kept continuously aware to avoid inappropriate actions. In particular, businesses want to avoid actions by careless employees that can result in important privacy and/or security threats. A careless employee (i.e. unintentional actor) can be defined as an individual that misappropriates resources, breaks acceptable use policies, mishandles data, installs unauthorized applications, or worst of all, uses unapproved workarounds to avoid following security and/or privacy policies and procedures. Because the actions of a careless employee are inappropriate as opposed to malicious, many of these actions fall outside the radar of IT and/or security teams and therefore outside the knowledge of IT knowledge and IT’s ability to manage the consequences of those actions. For example, Verizon reported that 17 % of insider threat was due to simple error including employees failing to shred confidential information, sending an email to the wrong person or misconfigurations.

 

As reported by the FBI, one of the top threats incidents to businesses are Business E-mail Compromises (BECs) and E-Mail Account Compromises (EACs).  BECs tend to result from working with foreign suppliers and/or businesses (i.e., third-party relationships) and EACs often result from compromising email accounts through social engineering or computer intrusion techniques to conduct unauthorized activities, such as unauthorized transfer of funds.  The FBI reported that in 2018 they received 20,373 BEC/EAC complaints with adjusted losses of over $1.2 billion.

One of the most common and high profile threats to employees are social engineering threats such as phishing scams (e.g., 38,000 patients were taken from a healthcare company, Legacy Health). According to Verizon’s report, threat attacks include primarily hacks and malware, but social engineering, error and misuse follow closely. Untrained or careless employees may fall victim to social engineering or become insider threats by their actions such as ignoring security practices (e.g., re-using passwords, using unsecured/public Wi-Fi access, etc.) or simply remaining unaware of appropriate security measures (due to unawareness or lack of training).

Data is Currency! So Protect It!

Your data is the value of your company and your brand, and therefore, its currency. Preventing risks to IT assets (i.e. databases, file servers, cloud applications/infrastructure, endpoints, networks, business applications, mobile devices, etc.) that give access to, process or store your valuable data should be a priority.  When dealing with insider threats (especially your employees), there is no silver bullet. However, businesses can conduct risk analysis, establish security and data privacy management plans, and use a variety of tools to mitigate risk.

On the one hand, businesses should be aware of the activities and behavior of all its employees by logging, monitoring and reviewing employee access to networks/data (whether connected directly or remotely).  Not only does XPAN encourage appropriate proactive measures to maintain visibility of systems and data processing, but proactive measures and security/privacy programs are now becoming a requirement through the FTC’s enforcement measures (see blog post here). Further, they are also becoming a requirement under domestic privacy regulations. For example, in Illinois, businesses are required to obtain proper consent when collecting or disclosing biometric data but they may also require written releases as a condition of employment.  Further, in New York: (i) the SHIELD Act imposes a duty on the business to monitor its system and requires that an employee be designated to coordinate a security program (see Sec. 4); and (ii) the NYSDFS cybersecurity regulation requires appointment of a CISO. In Vermont, data brokers must conduct regular monitoring to ensure that the data security program is running effectively (see Sec. 2447).

On the other hand, businesses need to ensure that all employees are trained on security and privacy policies and procedures during initial onboarding and throughout employment. This practice is fast becoming a requirement in domestic privacy regulations across the country.  For example, Vermont’s data broker law requires ongoing employee training, including temporary and contract employees. Also, NYSDFS cybersecurity regulation requires regular cyber security awareness training for all employees (that reflects the covered entities risk assessments).

Most importantly, general privacy and security awareness needs to be incorporated into your business culture. This is the only way to ensure that policies and procedures are appropriately followed and that there is immediate and effective communication with the relevant parties that are responsible for privacy and/or security within your business.  

It Is Important to Protect Your Business from Insider Threats

Since employees are truly the weakest link for a business in facing potential privacy and/or security threats, you should establish and maintain policies, procedures and training to ensure a cohesive approach to maintaining privacy and security of your business’ networks/systems and data (in particular, personal and healthcare data). XPAN assists its clients with establishing these policies, procedures and training programs, as well as a cohesive privacy and security program when possible.  Further, for the strongest protection against and prevention of insider threats (such as employees), companies should implement both technical and organizational measures to log, monitor and review: (i) ALL access and use of ALL systems; and (i) ALL access, use and storage of ALL data. But, most importantly, throughout the implementation of any policies, procedures or programs, continuing to create and maintain a corporate culture of privacy and security awareness will be the key to the strength of any privacy and/or security posture.

*****

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind.  If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.