Insider Threats and your Company: What you Need to Know to Protect your Workplace

You never think it will happen to you. But then it does. A rogue employee. A competitor. A disgruntled ex-staff member, or a vendor gone wild. A security breach could bring down your entire operation. Here’s how to protect yourself and what to do when your defences are down.

Hacked - IT security breach

Policy and enforcement of protocols

Set expectations when employees are first hired. If you already run a company that’s fully-staffed, implement new protocols and reset expectations. Why? Because it’s fair, and because it will let employees know what to expect.

It’s kind of like going to an airport. You know what to expect before you go through security. There aren’t any surprises.

You must comply with screenings or face consequences (i.e. you don’t get to board the plane). A company that implements strict security policies and procedures can accomplish the same thing: you get a high level of compliance, and offenders can be punished according to preset rules and procedures.

Disciplinary action may be something as benign as limiting access to the network, or as severe as termination. For vendors who work in-house, contract staff, and other non-employee personnel, termination of contract status would (and probably should) be the first and last consequence.

Defence in depth

Companies that implement a “defence in depth” strategy are typically better protected than those who don’t. Defence in depth refers to an approach where there are layers of security. If one layer fails, another one is there to pick up the slack or catch what slipped through the first layer.

Companies, like Sec-Tec Ltd, can perform penetration tests to check the defence systems to ensure that they are capable of defeating an internal attack.

While most employees are honest and hardworking, there are some who are out to “get revenge” or “make things fair” in their eyes – and they don’t wear striped black-and-white shirts with face paint.

Limit access to the server

One of the best defences from an insider threat is to limit access to the network and servers. Using physical locks, and technology, a company can limit the access to its data and resources. Access controls should be used to prevent employees and contractors from accessing places on the network that they do not need to access in order to perform their job duties.

In other words, companies should restrict access so that employees and contractors can only access data and files necessary for their specific work and duties.

Do background checks

Do background checks on all employees and contractors before they are allowed access to any part of the company’s network. Criminal background checks will help reduce the risk that you’re hiring a felon, but they may not completely weed out undesirables.

Still, it’s a good first start. You can supplement background checks using an extensive interview setup with open-ended questions. Open-ended questions tell you two things:

  1. They tell you important information about the content of the answer itself and;
  2. They can give you insights into the potential employee’s psychology.

Background check in job interview

For example, let’s say you’re considering a new employee. The background check came back clean, but you want to know about the employee’s previous employment. You ask: “Tell me about the last time you were let go from a job?”

This type of questioning is open-ended and assumptive. It assumes that the candidate was let go from a previous job. Most employees who answer this are implicitly acknowledging that they were fired from a job in the past. This, in and of itself, is not always an indictment of the employee, but it can be depending on the details of the termination.

Another question might be: “What would a past employer tell me about your work performance?”

This is not assumptive, but it is open-ended. It forces the employee to think of an answer to the question that is more than just “yes” or “no.” The depth of the answer, how it is phrased, and the details the employee gives you, will tell you a lot about how the employee viewed his previous employer more than what a previous employer might have actually said.

Why is this important? Because it provides a framework for how a candidate might think of you months into his or her employment.

Does the employee think of himself as a victim? Is he a go-getter? Does he generally have a positive attitude about previous jobs? A negative attitude?

Even if you can never verify the accuracy of the answer, you can know that an employee that complains about having to work long hours won’t fair well in your company when overtime is required. And, requiring this employee to work overtime becomes a risk factor for insider retaliation or sabotage.

Always use softer words as opposed to harsh phrasing in your questions – people tend to be more open about themselves and truthful when they feel as though they are not being judged. So, instead of using the word “stealing” or “theft,” use words like “borrowed without asking.” Instead of saying “fired” or “terminated,” use “let go” or even “left your job.”

Monitor network activity

Monitoring network activity is important because it tells you about habits and behaviours of your employees. If you see employees accessing data at odd times of the day, downloading an unusual amount of data, or transferring files out of the company’s safe network environment, this is a huge red flag.

Repeat training programs

It’s hard to get too much training on security and best practices. It might not always be the most interesting subject matter to your staff, but it will constantly remind them that the company or organization takes security seriously and that there are assets worth protecting.

A company should offer, and encourage, regular training on Acceptable Use Policies. It should be something that’s covered not just in the handbook, but in continuing education classes. Regular classes and workshops may also deter would-be insider threats from taking action, since they know that the company is specifically targeting those threats.