Numerous indicators help you realize that your staff needs training to avoid unintentional insider threats. Insider threats are carried out by people within an organization and may be spoken, written, or electronic in nature, although lost devices have become a major concern. Ten years ago, losing a computer might have resulted in embarrassment for the employee and an insignificant replacement cost for the company. Today, more people work remotely, and companies permit their employees to bring personal devices to work and use personal cloud storage services. As more employees intermingle personal and corporate data on their portable devices, what was once an inconvenience can become a devastating security threat. According to research conducted by Trend Micro, 41 percent of data breaches result from lost devices, with losses from malware and hacking falling from previous levels.
Unintentional insider threats to the organization can have significant impacts:
- Loss of reputation, affecting enrolments
- Loss of confidential data, exposing the campus to fines and lawsuits
- Drop in grants, donations, and alumni involvement
- Loss of student, faculty, staff, and community trust
Phishing perpetrates many unintentional insider threats and has become a major problem recently. For example, if your employees respond to e-mails requesting monetary donations to the Nigerian Royal Family, they need security training.
To detect and appropriately handle a phishing e-mail, recipients should consider this advice:
- Do not click on suspicious links within an e-mail.
- Hover over the link in the e-mail to determine whether it leads to the expected path.
- Check grammar and spelling within e-mails.
- Check the e-mail header. Inspect manually, or use an e-mail header analyzer such as MX Toolbox.
- Examine the sender's e-mail address.
- Check the domain name (i.e., .com, .net).
- Verify the sender's e-mail address, as attackers may use a slight variation of a legitimate, known e-mail to send phishing messages.
- Do not automatically open or download attachments or images.
- Contact the sender to verify the authenticity of the e-mail if it seems suspicious.
Employees are not the only channel through which insider threats can occur. Rather, the actions of contractors, partners, external consultants, and third-party vendors can also put an organization at risk. Target, Boston Medical Center, and Goodwill were compromised through a breached third-party vendor. According to FlowTraq security expert Vincent Berk, "We constantly run into situations where outside service providers connected remotely have the keys to the castle."
You can teach employees to avoid unintentional insider threats by warning them that they are targets.
- Educate employees at all levels of the organization by providing them with information security training.
- Make sure your supply chain is secure by managing employee and third-party vendor access to your technology to ensure they do not misuse your information.
- Implement least-privilege access. Ensure that employees only access what they are authorized to, and establish secure user network restrictions and controls.
- Have employees report any activity they think is the least bit suspicious.
- Have a post-employment process for those who leave to ensure they do not become threats after leaving.
- Be transparent with all people involved internally and externally.
It is essential to raise awareness among employees about the impact of unintentional insider threats. As social engineering becomes more sophisticated, employees must be able to recognize and appropriately handle phishing attacks. Training your staff so they are aware of the threats around them will enable them to make good decisions. Your employees are your greatest asset and strongest security control. Educate them, and you reduce the incidents caused by unintentional insider threat.
Marcelle Drakes-Ruffin is a second-year graduate student completing a Master of Science in Information Security Policy and Management at Carnegie Mellon University, Heinz College. She has researched and written papers on the Internet of Things, tracking technologies, and denial-of-service attacks. Drakes-Ruffin believes that education, collaboration, and accountability are essential for us to win the fight against cybercrime. She is currently formulating methodologies to help software developers prioritize security in their software innovations, and establishing metrics to reduce the false sense of security that is prevalent, particularly within small and medium-sized companies.
Navika Mahal is currently pursuing a Master of Science in Information Security Policy and Management at Carnegie Mellon University. Her areas of expertise include public policy, information systems, risk management, and cybersecurity. She believes that information security is incredibly important in this day and age, especially due to recent events.
Geetha Polavarapu is pursuing a Master of Science in Information Security Policy and Management at Carnegie Mellon University. She possesses over two years of experience in information security risk management. She believes that security plays a vital role in any organization and is passionate about information security. She would like to address security challenges and create a strategic roadmap for future innovations in security.
© 2015 Marcelle Drakes-Ruffin, Navika Mahal, and Geetha Polavarapu. This EDUCAUSE Review blog is licensed under the Creative Commons BY-NC-SA 4.0 International license.