How to mitigate insider abuse?

The previous articles elucidate the multifaceted nature of insider abuse – the reasons and factors are diverse, and have a ripple effect on an organisation’s infrastructure, culture, relationships and levels of trust. As a result, insider threat mitigation cannot be pinned down to one department; it cannot be the sole responsibility of information technology or information security or corporate security. Owing to the varying implicit and explicit perspectives of insider abuse, a mitigation program requires effective management that is disciplined and risk-based with a cross-functional approach.

First and foremost, employees need to be made aware of acceptable and unacceptable behaviour at the workplace. This can be achieved by the use of guidelines, which can be effectively communicated through social media and personal emails. Furthermore, organisations can enforce baseline security measures – a sound mitigation programme can be developed by tailoring and mapping organisation-specific elements. Also, access to non-work related websites should be denied. But although innumerate regulations can be implemented, the essential “human” factor needs to be addressed first.

To this end experts have time and again laid emphasis on ongoing screening, especially for those positions that have powerful privileges. More stringent vetting must be applied to those with access to sensitive information. Employee vetting is an effective means of basic trust only when the employee joins an organisation because an individual’s circumstances, motivations, behaviour and attitude will change over time. Thus, the critical nature of vetting “aftercare” cannot be underestimated. Effective screening and vetting are essential.

Staff must be monitored for changes in their role and personal circumstances, predominantly security personnel with a high clearance level.

Aftercare duties and responsibilities must be understood and adhered to by the concerned individual and manager.

In addition to ongoing screening, the following proactive steps can be considered:-

Risk-assessment – the human threat is a combination of motivation, opportunity and capability. Although opportunity and capability can be deterred by technical and procedural measures, addressing motivation is more difficult and can require in-depth User Behaviour Analytics.

Education – security training and awareness along with identification of abnormal employee behaviour. The integration of security insights into normal business behaviour through policy dictation and staff education can prove to be beneficial.

Behavioural change – keeping a tab on behavioural changes is paramount. Measuring actual behaviour is key to organisational development. Amassing knowledge in situations of security breach and developing the behaviours and reactions required. In such situations, negotiation with the employee is better than control and command.

Third parties – third parties are always involved in every business and require education on a par with full-time employees. However, educating third parties in outsourced environments can be difficult.

Insider abuse cannot be eradicated but needs to be assessed and addressed. A successful mitigation involves ongoing screening and stellar personnel management. Periodic checks and reviews are the backbones of organisational trust. Moreover, technology cannot be considered in isolation for the purpose of threat mitigation; it needs to run parallel with changing environment and human factors. Keyword analysis and filtering can help catch sensitive information leaks.