Insider Threat and Ethics

How important is it to manage insider threats? Very, according to cybersecurity firm SANS Institute. In recently published survey results (Cole, 2017) it reported that organizations “recognize insider threat as the most potentially damaging component of their threat environments.”

Although the SANS Institute survey was all about cyber security threats and data loss, it offers insights that are also valid for ethics and compliance professionals, who already have tools—like hotlines—available to help uncover insider threats.

Here are some of those insights.

  • Organizations must deal with both malicious and accidental insider threats.

Malicious insiders, according to the report, are what most people think of when they hear the term insider threat, but unintentional insider actions, be they accidental or negligent, can cause just as much damage, if not more.

  • The top concerns revolve around data and intellectual property.

That’s not so surprising, since this was a survey about cyberattacks. However, as stated in the survey results, “anything that could impact the short- or long-term success of a business is a concern.” Less data-specific concerns include reputation damage stemming from negative publicity, as well as the possibility of fraud/abuse and the compromise of competitive advantage in the market.

  • Tools and techniques to prevent/deter insider threats may focus too heavily on policies, procedures, and audits.

Policies, procedures, and audits, according to the report, “while must-have preventive measures, are more symptomatic of the problem than fixes for the root cause.” For cyber and data security, the root cause problem is defined as insiders gaining access to data that is not properly protected and controlled.

The tools and techniques used by survey respondents are: administrative policies and procedures (100%), internal controls (78%), internal audits (65%), data loss prevention (55%), privileged account vault (38%), workforce monitoring (35%), whistleblowers (25%), and other methods (1%).

Did you notice the relative position of whistleblowers in the list above? Only 25% of respondents listed whistleblowers as a “tool or technique” used to prevent or deter insider threats. In a related question about the tools or techniques used to detect insider threats, just over 20% identified whistleblowers.

Ethics and compliance professionals know that tips from employees and others are the most common means for detecting fraud in general. The Association of Certified Fraud Examiners (ACFE) has consistently found that organizations that offer ethics hotlines are more likely to detect fraud through tips than organizations without hotlines—47.3% vs. 28.2%, respectively (ACFE, 2016). Of course, they also work with policies and procedures, internal controls, internal audits, and other methods.

It may be that some of the information security professionals who responded to the SANS Institute survey about insider threats work for organizations that do not offer hotlines and do not promote a speak up culture. Or, it may be that they are not as familiar as they should be with the ethics and compliance tools and outcomes in their organizations.

Given that ethics and compliance professionals also recognize the importance of data and cyber security matters—a recent survey of ethics and compliance officers found the top focus area to be data privacy and cyber security (Consero, 2017)—the SANS Institute survey findings may also highlight the need for closer alignment between information security staffs and ethics and compliance staffs as both try to combat insider threats to their organizations.

Ethical Advocate provides comprehensive ethics and compliance solutions, including ethics and compliance training and confidential and anonymous hotlines. Please contact us for additional information.

References

ACFE. Report to the Nations on Occupational Fraud and Abuse: 2016 Global Fraud Study, 2016. http://www.acfe.com/rttn2016.aspx

Cole, Eric. Defending Against the Wrong Enemy: 2017 SANS Insider Threat Survey, August 2017. http://www.sans.org/reading-room/whitepapers/analyst/defending-wrong-enemy-2017-insider-threat-survey-37890

Consero Group. Corporate Compliance & Ethics Report: Facts & Analysis, August 2017. Request a copy at https://consero.com/august-2017-corporate-compliance-ethics-report/. (See also the Ethical Advocate blog post titled “Current Priorities for Ethics and Compliance Officers).