Corporate insider threats are increasing in both frequency and financial impact, according to industry studies, reinforcing the importance of a robust Insider Threat Program. Insiders pose a unique threat as they are given privileged access to the company’s assets and are trusted to use that access responsibly and ethically. However, this can go awry in several ways, from unintentional, negligent acts to intentional, malicious acts. For example, an employee’s negligence when sending records to a business partner may result in an unauthorized public leak of customer data, or a disgruntled contractor may sell proprietary information to a competitor.
The number of insider threat incidents affecting companies skyrocketed approximately 44 percent from 2020 to 2022, with the average cost for a company to resolve insider threats over a year period increasing to $15.38 million in 2022.
Source: Ponemon Institute’s 2022 Cost of Insider Threats Global Report
A comprehensive Insider Threat Program works to prevent, detect, and respond to incidents. When evaluating your corporate Insider Threat Program, consider these three risks that it may be overlooking:
- Threats from Business Partners and Vendors
The term “insiders” does not only refer to employees but to anyone who has access to the company’s assets. This may include various people and companies, such as contractors, vendors, business partners, suppliers, and others who have access to the company’s systems, processes, and/or inventory. These third parties may be given similar access as employees but are often not subject to the same controls, security training, and other protections in place for employees. If your insider threat program does not take all of these players into consideration, there may be critical gaps in its ability to prevent, detect, and respond to suspicious events.
- Negligence by both employees and contractors was the most frequent cause of insider incidents between 2020 and 2022, according to the Ponemon Institute.
- Monitoring Concerns Identified in the Hiring Process
Most companies have some form of pre-employment screening or background check for candidates before they are hired. This screening may include a criminal records search, credit check, contacting previous employers, etc. The hiring team may identify concerns about a candidate but ultimately decide to hire them; these concerns may not disqualify the candidate from the position or be relevant to job performance but may be pertinent to their insider risk. In these cases, the hiring team must communicate any relevant concerns raised during the screening process to the Insider Threat Program to monitor for suspicious activity once the candidate is onboarded.
- Access to and use of this screening information must stay within the relevant legal parameters and be handled in a way that protects employee privacy.
For example, if pre-employment screening identifies multiple bankruptcies in a candidate’s credit report, this may not be relevant to the candidate’s ability to perform their job duties. However, they may be vulnerable to targeted recruitment by a competitor offering to pay them for proprietary information once they become an employee with access to the company’s internal databases. If the hiring team shares this information with the Insider Threat Program, steps can be taken to mitigate this risk throughout their employment.
- Incomplete Assessment of the Assets Being Protected
An insider threat program is designed to protect the company’s assets. Therefore, the first step in establishing a comprehensive program is to determine the critical assets held by the company. These may include physical inventory, intellectual property, systems/databases, customer data, institutional knowledge, and other assets. Often companies may prioritize the protection of digital access to proprietary information while failing to fully protect access to and accountability for physical assets (hardware, equipment, printed materials, etc.), or corporate credit cards and spending authority. A comprehensive Insider Threat Program includes protection of all types of key assets.
As a recent example, a former administrator for the Yale University School of Medicine admitted to stealing more than $40 million from the school between 2013 and 2021 by purchasing equipment for the school and then reselling it for personal gain. Jamie Petrone-Codrington was authorized to make purchases as part of her role, so she repeatedly ordered high volumes of computers and other hardware, transferred them to a reseller, then directed the profits into a personal account. Petrone-Codrington avoided detection for years by keeping each order below the threshold that required additional approval. Her activity was first flagged as suspicious in 2020 by a colleague who noticed the high volume of purchases. According to media reporting, she admitted to the Federal Bureau of Investigation (FBI) that approximately 90 percent of her computer-related purchases were fraudulent.
Like any other business process, an effective Insider Threat Program requires ongoing maintenance to evolve as the company grows and changes. Act now before the worst happens; review, test, and improve your Insider Threat Program to safeguard from intentional and unintentional insider threats. Red Five can work with you to ensure your company is prepared to comprehensively prevent, detect, and respond to a variety of risks.