Insider Risk Policies: What They Are & Why Your Small Business Needs One

Attacks on your company’s IT infrastructure can come from two places: from the outside and the inside. Outside threats are well understood: scammers trying to phish account numbers, competitors trying to steal trade secrets, and bad actors trying to ransom you data.

Insider threats are less well understood by businesses and less talked about. Basically, an insider threat is someone from inside your organisation harming you. To mitigate this, you need an insider risk policy.

Are Insiders Really a Threat?

Yes. Your business may be betrayed by an insider for a number of reasons, including simple theft and revenge for some perceived slight. In 2016, an IT employee at Expedia traded on secrets illegally acquired from his employer. That’s an example of a typical trusted insider attack.

However, insiders can unwittingly be a threat too. An unwitting insider is someone in your organisation who inadvertently helps an outside attacker. In 2015, Wellpoint, then the second-largest healthcare insurer in the US, revealed that information from 78 million customers had been stolen. It was the largest data breach from a healthcare provider in US history, and it all began when a single user at a Wellpoint subsidiary clicked on a phishing email. That person is an example of an unwitting insider.

What Should an Insider Risk Policy Include?

When managing insider risks, consider the following:

Perform a risk assessment. List all the digital assets you have, from customer data to proprietary information. Order your assets according to value. List what employees have access to what assets. Consider the financial and legal consequences of each and every one of those assets.

Control access. Not all employees need full access to all of your data information. Enforce “separation of duties”; that is, employees only have access to the information they need to do their duty. Furthermore, be sure there is a digital record of who accesses what, and make sure that record is backed up.

Enforce security training. Any employee who touches digital assets, from your senior staff to retail clerks using point-of-sales devices, need security training.

Document policies and make them part of onboarding. Employees should understand from the get-go what their responsibilities are in terms of protecting digital assets and what the consequences are if they help steal your company data.

Include insider threat considerations in your termination policies. When firing or otherwise letting go of an employee, make sure they lose digital privileges immediately.

Review your security agreements. If you use any cloud services, make sure you review and understand restrictions and monitoring included in your cloud services.

Monitor everyone. Even your most privileged users need to be monitored.

The Bottom Line

Remember, no business is too small to ignore insider threats. Over half of small businesses have suffered thefts by employees; the digital age just means that there’s more targets for would-be thieves. And if you do suffer a loss as a result of an insider, here’s how to handle the inevitable data breach.