INSIDER THREATS: C-SUITE EXECUTIVES AND FORMER EMPLOYEES
The COVID-19 pandemic forced several lessons onto American Businesses, one of which is to make cybersecurity a top priority in terms of technology, policies, and administration. However, cybersecurity is not merely a defensive measure against outside threats – it must also include insider threats.
Insider threats are often equally, if not more dangerous, than third-party bad actors. Two of the greatest insider threats are c-suite executives and former/soon-to-be former employees (collectively, former employees).
C-Suite executives traditionally undervalue the importance of cybersecurity, a mindset reflected in the following acts and omissions:
Failing to hire a Chief Information Security Officer (CISO) and Chief Technology Officer (CTO).
Failing to provide funding to replace equipment or outdated software.
Exhibiting poor cyber hygiene despite being high-value targets, such as utilizing free Wi-Fi in public places (coffee shops, airports), allowing family members to use company equipment, failing to check for and install updates, saving important materials to computer desktops, using weak or repetitive passwords.
Failing to learn threat indicators for the market sector.
Viewing security protocols as inconvenient and an impediment to professional efficiency.
Potential explanations for these follies range from the executives’ lack of understanding of the complexity of cybersecurity threats to false senses of security in the current organization. Furthermore, many executives like to promote from within the organization to boost morale, keep valuable talent, and retain legacy knowledge for high-level internal positions. While valuable, this practice sometimes includes the CISO and CTO positions. Chief security officer positions cannot represent legacy, time-in-grade, or loyalty. These positions require active recruiting and vetting.
The only solution is to educate the C-Suite Executives on the importance of cybersecurity through the numbers. According to the Ponemon Institute Report from 2019:
“In the United States, the average cost of a data breach increased from $7.91 million in 2018 to $8.19 million in 2019 which is the highest cost globally when compared to other regions.”
“Lost business was the biggest contributor to data breach costs. The loss of customer trust had serious financial consequences for the companies studied, and lost business was the largest of four major cost categories that contributed to the total cost of a data breach. The average cost of lost business for organizations in the 2019 study was $1.42 million, which represents 36 percent of the total average cost of $3.92 million. The study found that breaches caused abnormal customer turnover of 3.9 percent in 2019. Whereas organizations that lost less than one percent of their customers due to a data breach experienced an average total cost of $2.8 million, organizations with customer turnover of 4 percent or more averaged a total cost of $5.7 million – 45 percent greater than the average total cost of a data breach.”
This category includes employees who left and those about to leave, by choice or otherwise. These employees threaten networks in the following manners:
Often, these employees have full access to the network until and after last day of work – IT fails to deprovision network access resulting from an internal communications failure.
Employee accounts are not monitored – accordingly, businesses lack oversight of employee activity during final days or during tenure of employment to determine if any malicious actions were undertaken.
Employees aware of imminent termination or about to quit are less likely to heed security protocols.
Employee usernames and passwords, especially for third-party accounts on which the business relies or requires, are not collected, or changed prior to employee’s departure.
The dangers created by former employees range from intellectual property theft to the continued purchase of materials/goods through company accounts due to failure to deprovision employee access. It also includes wanton disregard for anti-phishing protocols, which may result in malware or ransomware.
Solutions to consider are:
Establishing communication protocols following employee terminations or resignations to collect usernames, passwords, and deprovision accounts.
Implementing employee monitoring software and retain counsel to ensure proper employment agreements and equipment use policies are in place.
Reviewing current and former employee network activity on rotating but automated schedules to find abnormal activity.
For more information, please reach out at Sarah@alexandersides.com.