As the person with the CIO job, one of the things that takes up a lot of your time is trying to keep the company’s valuable data and knowledge safe because you understand the importance of information technology. You try lots of different ways to make this happen: you install firewalls, you require everyone to change their passwords every 90 days, and you make sure that everyone has been trained about the dangers of phishing. However, in the end, it just might turn out that your greatest threat doesn’t come from the outside. Rather, the people who work for your company might be the ones that you have to guard against.
Know Your Threats
In a recent survey of cybersecurity executives at nearly 400 companies, 67% said they were concerned about malicious employees. That is less than the proportion who saw cybercriminals as a threat (88%), but more than those worried about so-called hacktivists and nation-state attackers (63% and 60%, respectively). The size of the business had an impact on the level of concern businesses showed for the insider threat. CIOs at companies with more than $1 billion in annual revenue were the most likely to take the insider threat seriously – 81% saw malicious employees as a serious threat, compared with 55% of businesses with revenue of less than $50 million.
The difference may be due to the greater level of trust CIOs place in the staff when they are more likely to know them personally. Results across industries also showed varying levels of concern for insiders. Government departments and retail organizations are the ones who are the most aware of the threat from insiders (83% and 82%, respectively), almost certainly a reflection of the personally identifiable information or financial data those organizations hold, and perhaps also suggestive of a lack of robust controls to prevent employees from accessing or stealing that data.
The data show financial-services organizations score the insider threat the lowest. Only six out of 10 such organizations consider insiders a threat. One explanation is that industry regulations have pushed financial-services firms to better restrict access to personal or financial data and to conduct more rigorous screening before bringing employees on board, reducing the likelihood of a damaging insider attack.
Dealing With The Inside Threat
As most CIOs know, not all organizations are well-prepared to counter the insider threat. Traditionally, CIOs have used pre-employment screening as the main way companies guard against insider attacks, particularly for jobs requiring a security clearance. Checking an employee’s references from previous employers may highlight concerns about an individual’s reliability or temperament, conducting criminal-record checks may show that an individual is unsuited to working with sensitive data, and credit checks may show a person’s financial vulnerability.
What CIOs have to realize is that screening is a point-in-time assessment, and once someone joins a company, he or she is rarely if ever checked again. Data from a government study found that 76% of inside attackers hadn’t joined the company with the intention of stealing data or sabotaging operations. Their decision to act maliciously came as a result of changes to the employee’s financial situation or ideology, because of a desire for recognition, a negative work experience, drug or alcohol dependency or even poor management. Only 6% of the 120 cases in the study were a result of deliberate infiltration, while the remainder were coerced by third parties to engage in an attack on the firm.
Unfortunately technology isn’t a silver bullet, but it certainly can bolster a company’s defenses against an insider attack. Artificial intelligence and behavioral analytics can be used to identify user actions that diverge from the norm, such as employees accessing the corporate network outside of their normal hours or trying to view restricted data, though alerts need careful investigation and false positives can be a problem. CIOs can ensure that effective management is used as a key to early detection of disgruntled employees, as is ensuring that employees only have permission to access the data they need to perform their role. Finding a balance between trusting employees and verifying they are performing within the bounds of information-security policies is a key part of any CIO’s cyber-risk management program. If you get it wrong then it can have devastating business consequences.
What All Of This Means For You
It is the job of the CIO to keep the company, its data, and its intellectual capital safe from outsiders who intend to do harm to the company. We do a fairly good job of keeping the bad guys out; however, it turns out that greater threat might just be coming from insiders. How is a CIO supposed to deal with a threat that looks like this?
The good news is that more and more CIOs are becoming aware of the threat that insiders may pose to their business. The larger the firm, the more the CIOs were taking the threat seriously. Financial services organizations view this type of threat as a low risk because they already have safeguards in place. Traditionally CIOs have used new employee screening to detect if they had any issues with an employee. What this misses is when something changes in an employee’s life and causes them to turn into a threat. Technology and effective management can provide CIOs with the tools that they need to deal with this type of threat.
At the end of the day, keeping a firm’s IT assets and data safe is a job that has been assigned to the CIO. We take the required steps to keep the bad guys out, but now it turns out that the bad guys just might be working for us. What this means is that CIOs need to implement systems and processes that will allow us to keep track of our employees and detect if they start to do anything out of the ordinary. We have the technology at our disposal to do this, now we just need to make the time to get this critical issue taken care of.
– Dr. Jim Anderson
Blue Elephant Consulting –
Your Source For Real World IT Department Leadership Skills™
Question For You: How much monitoring of employees do you think that CIOs should do?
Click here to get automatic updates when The Accidental Successful CIO Blog is updated.
P.S.: Free subscriptions to The Accidental Successful CIO Newsletter are now available. Learn what you need to know to do the job. Subscribe now: Click Here!
What We’ll Be Talking About Next Time
As all CIOs now realize: the world has changed. The Covid-19 pandemic changed everything for everyone. After having spent a year working from home, most companies have now once again opened their offices. However, not all of their workers have come back and in fact many of their workers don’t want to come back. This means that the office environment that we once knew where everyone clustered in a shared environment has now gone away forever. Say hello to the “hybrid environment”. How can CIOs make this new work environment work for everyone?