How to Quantify the Risk of an Insider Threat

Insider Risk

risk

Never before have there been so many platforms that let a growing number of people touch, manipulate, download, and share sensitive data.

But there’s a dark side to all that access: It exposes a company to malicious intent and theft of information worth thousands, sometimes millions, of dollars. More alarming is the fact that less than half (42 percent) of all organizations have the appropriate controls in place to prevent these attacks, according to the Insider Threat Spotlight Report.

How do you get a handle on this threat? Mitigation begins with assigning risk levels to employee roles. Who has access to sensitive information, intellectual property, trade secrets, customer lists, and any other proprietary data? That’s the foundation of your risk model. Many companies use a simple numerical scale of 1-10, with 10 as the highest risk. Others may prefer simpler categories like Low, Medium, and High or yellow, orange, and red alerts.

It turns out that nearly 80 percent of employee fraud takes place in accounting, operations, sales, senior management, customer service, and purchasing. But it’s critical to establish a risk profile for everyone in the company, no matter which department. Take into account employees’ current roles, levels of privilege, and required access to proprietary information. Senior IT people and C-Suite executives obviously have more privilege and access than mid-level managers and clerical workers. And, of course, the higher the risk in a potential disaster, the greater the need to monitor an employee’s activities.

Prepare to update the risk profile of an individual. Organizations are dynamic, and employees regularly make lateral moves or get promoted. Someone who doesn’t touch sensitive information in one role may very well have access and new privileges in a different assignment.

Employees’ personal lives change constantly, too. A traumatic event, like a death in the family or divorce, psychological problems, or a shift in financial circumstances for the worse—any of these can cause behavioral changes in people. And they all may require re-evaluation of an individual’s level of risk.

Once you’re committed to the process, we recommend taking the following steps:

  1. Create an insider-risk team. While IT and its security team may oversee the monitoring of user activity, the process really requires support from the most senior ranks, as well as other departments. Your legal department help can help decide how to monitor while complying with the law and act as a critical liaison between executives and the security group. Human resources can help support the need and processes for monitoring, as well document employee cases—and put a “human” face on the operation.
  2. Designate risk levels. This, of course, is what I’ve been discussing in this post all along: using job titles to assign a scale of risk, depending on levels of privilege and access.
  3. Pinpoint inappropriate conduct. Just because you’ve assigned someone a high-risk level doesn’t necessarily mean that he’s committing an offense. Conversely, an employee’s inappropriate behavior can sometimes be misread as performance of normal job-related tasks. That’s why it’s critical to develop ways to identify truly improper conduct through changes in an individual’s communication and behavior. You can do that through software that is known as user-behavior analytics and, less technically, by means of procedures your employees can follow to report troublesome behavior.
  4. Set up a system of insider monitoring. When you’re establishing a system to keep an eye on employee activity and behavior, it helps to decide what level of monitoring goes along with the different risks they may pose to your organization. For example, someone in a low-risk category probably can’t interact with sensitive information and therefore needs little more than the less-technical sort of monitoring suggested above. Medium-risk employees do have access to proprietary data and, so, may require monitoring additionally with user-behavior analytics. So, too, with those high-risk individuals who should probably be subject to the most active monitoring and review.

Quantifying risk is just the start of mitigating insider threats. But if you develop the initial baseline—starting with job title and access to privileged information—you can get a better handle on which employees you will have to monitor during such critical periods as hiring, job title and personal changes, and the high-risk exit period.

Article Provided By: Info-Security Magazine

If you would like liquidvideotechnologies.com to discuss developing your Home Security System, Networking, Access Control, Fire, IT consultant or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com

Cost of data breaches increasing to average of $3.8 million

data breaches

Data Breaches

The cost of data breaches is rising for companies around the world as sophisticated thieves target valuable financial and medical records, according to a study released on Wednesday.

The total average cost of a data breach is now $3.8 million, up from $3.5 million a year ago, according to a study by data security research organization Ponemon Institute, paid for by International Business Machines Corp.

The direct costs include hiring experts to fix the breach, investigating the cause, setting up hotlines for customers and offering credit monitoring for victims. Business lost because customers are wary after a breach can be even greater, the study said.

Data breaches are becoming more common and significant, with high-profile attacks on Sony Corp, JPMorgan Chase and retailers Target Corp and Home Depot Inc in the past year and a half.

“Most of what’s occurring is through organized crime,” said Caleb Barlow, vice president of IBM Security. “These are well-funded groups. They work Monday to Friday. They are probably better funded and better staffed than a lot people who are trying to defend against them.”

IBM, which sells cyber-security services to companies, has a vested interest in highlighting the costs of data breaches.

The cost of a data breach is now $154 per record lost or stolen, up from $145 last year, according to the study, based on interviews with 350 companies from 11 major countries that had suffered a data breach.

The study’s authors said average costs did not apply to mega-breaches affecting millions of customers, such as those suffered by JPMorgan Chase, Target and Home Depot, which cost the companies far greater sums. Target alone said last year its breach cost $148 million.

The study found that the healthcare was most at risk for costly breaches, with an average cost per record lost or stolen as high as $363, more than twice the average for all sectors of $154.

That reflects the relatively high value of a person’s medical records on the underground market, said IBM, as Social Security information is much more useful for identity theft than simple names, addresses or credit card numbers.

Article Provided By: Reuters

If you would like liquidvideotechnologies.com to discuss developing your Home Security System, Networking, Access Control, Fire, IT consultant or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com