Insider threat

Employee Threat Assessment Template for Large Organizations

Dan Virgillito
January 16, 2015 by
Dan Virgillito

Despite the popular image of the hacker cracking distant servers from his basement, studies show that people with legitimate access to your information pose an even bigger threat. And when information is stolen from within, it's often harder to trace and determine the extent of the problem.

The larger your organization, the more is the chance of 'the bad Apple employee'. As a result, proactive threat assessments are crucial for preventing employee-related breaches and reducing their impact when they happen.

The only true solution is to develop a custom template for your own needs, but this one should be used as a starting point for areas to consider when determining the risks of your employees compromising security, as well as what's at stake.

Your ultimate goal should be a comprehensive privacy program... But that doesn't necessarily translate into more security spend. In fact, many of the companies that have been on the receiving end of the most high-profile breaches were the ones pouring the most cash into security.

In almost all cases, security efficacy comes down to thoroughness and how well you follow some simple rules. In fact, data protection can be broken down into a few manageable steps:

  1. Identify threats. Breaches can be a result of employee carelessness or intentional outside attacks.
  2. Assess the level of risk.This means two things. First of all, assess the likelihood that this will happen. Second, evaluate what the potential consequences will be if it does. These are known as "likelihood" and "impact" assessments.
  3. Know how to minimize the risk. Familiarize yourself with the preventative measures that suit your situation best.

We'll identify some common threats, then cover some of the questions you can ask yourself to minimize them.

Step 1: Identifying Threats

There are two types of employee-related threats: Accidental, or in other words, employees carelessly leaving security holes that can be exploited by outsiders, and intentional attempts by employees to steal data or sabotage crucial systems. Intentional threats will mostly be data thefts, since hackers interested in interrupting your business operations are in the minority. Most are interested in profits, which usually come from selling technical or financial information.

Either way, here's a checklist that covers both.

Accidental

Are employees using unauthorized programs or apps?

70 percent of IT professionals agree the use of unauthorized programs is the cause of half of all data leaks.

Are they using work computers to check personal email? Personal email is a much less guarded gateway to the user's computer than most business email clients.

Has anyone been pirating software?

Managers will sometimes quietly approve software pirating in order to trim software budgets, but the viruses and malware introduced to your system will cost you much more in the long run… Or in the short run, if you get hit with a $150,000 fine for infringing a title. This is one of the difficult things to track, since unlike many careless behaviors, no one will willingly admit to it. The only way to be sure is to conduct a thorough software audit of your company.

Are you sure your employees' credentials are in good hands? This goes for both computer logins and physical security tokens. Urge your employees to report any lost tokens or compromised passwords immediately, and make sure to change them as soon as possible.

Have you gone out of your way to prevent tailgating?

If your data can be easily compromised by a stranger entering the premises, do you have a reliable method to ensure they can't take advantage of a door-holding employee's kindness? Smart cards and vigilant front-desk guards and receptionists can prevent much of this type of access.

Are your employees familiar with scams and how to avoid them? Simple social engineering is one of the easiest ways for an enemy of your company to gain access to your information. This can take the form of online info-collecting methods such as phishing, or real-life exploitations like the tailgating mentioned above.

Intentional

Have employees been transferring files between work and personal computers or devices? Even if they're not doing it with the intent of stealing anything, their personal computers will always be less safe than your company ones.

Would an ex-employee have any way of gaining access to your systems from an outside computer?

Are all employees' usernames and passwords removed from the system on their departure from the company? Make sure current employees change your ex employees' login information periodically.

Is sensitive data on removable storage encrypted? Removable drives are among the most common sources of data leaks, and once you've already lost one, there's next to nothing you can do about it. Unlike passwords or security cards, that information is just gone. However, what you can do is make sure that all of them are encrypted beforehand. Advanced versions of every Windows OS since Vista have come with a program called BitLocker that will let you encrypt an entire hard drive. If you don't use Windows, or have a license for the business version, there are open source alternatives like TrueCrypt. Files to be transferred to flash drives can also be password-protected using programs like 7-Zip or EncryptStick.

Have any employees quit without returning company devices or storage media? This one is fairly straightforward. Make sure that there's some way to check that all your external hard drives and company flash drives are present and accounted for, and if one goes missing, launch an investigation immediately.

Are you using multi-factor authentication to protect sensitive networks and apps? Two-factor authentication is one of the cheapest and simplest account protection methods to implement, but it's also one of the most effective for ensuring only your employees get into your apps.

Do only trusted employees have access to critical information? The only employees who need access to mission critical information are the ones currently working with it. Simply closing access holes will do a lot to minimize the number of people who can cause a security breach in the first place.

Step 2: Assessing Risk Levels

What data is at stake? Obviously, a list of your customers' favorite flavor of jam isn't as crucial as credit card data, so make sure to direct more resources toward protecting the latter.

How likely is a certain breach to occur? Although it may seem noble to put the same amount of effort into securing every entrance, it can also result in a huge waste of time and money, essentially fortifying doors no one ever uses. An assessment of breach likelihood can help you minimize that waste.

Normally, the likelihood of a threat occurring increases with the number of authorized users. Since it's often impossible to calculate the exact likelihood of a breach, especially in large organizations, you can make an ordered list of threat likelihoods, and focus on the most likely ones first.

What will a breach cost you? On average, data breach incidents costs US companies $204 per customer record compromised. Symantec offers a simple cost-per-breach calculator, but that's just to give you an idea. Knowing how much different types of breaches will set you back, combined with the likelihood of it happening, will give you a pretty good idea of how much security spend you should direct towards each one. There are even data breach checklists available to help you stay safe.

If one of your systems is intentionally sabotaged, how long will it take to get it running again? Restoring critical infrastructure after an attack can easily cost six or seven figures. Do you have a plan for how you'll get various vulnerable systems up with a minimum of cost if they're compromised? That falls under step 3....

Step 3: Know How to Control the Risk

There are some failsafes you can implement to minimize risk when employees are careless.

Are company computers set to log off after a certain period of inactivity? Many employees, usually due to simple forgetfulness, will still leave their computers unlocked when they leave their desk. Setting their computers to log out on their own after extended inactivity will cover for them.

Is sensitive information kept on portable hard drives, flash drives, mobiles, or any device that can be easily stolen? If so, does it need to be, or would a secure cloud application be a more suitable way of making sure it's accessible away from home?

Do you know what activities to look for? Trouble signs can include more than 50 documents being printed at once, files being copied to a storage device or cloud application, the names of confidential projects being typed in e-mail, and key applications being accessed after-hours. Make sure you have a way to monitor these. That brings us to our next point...

Are you using big data analytics to detect potential threats? Anomaly detection software can analyze user behaviors more efficiently than people can, and give you real-time updates on the status of your security. Are you using it? SAS, IBM, RSA, Fortscale, Personam, and LogRhythm all offer these kinds of programs.

Conclusion

Despite the lengths IT professionals go to in order to prevent them, seven out of ten critical infrastructure companies suffer data breaches that lose them confidential information or disrupt their operations every year.

Beyond merely protecting yourself from direct attacks by employees, which will be relatively rare, you can remove most of the more common threats by encouraging your employees to help close security holes.

If your organization is an environment where employees are regularly trusted with confidential data, foster a security-aware workplace culture where protecting data is known to be an important part of every employee's job. Make sure your employees also know why they're being instructed to do these things, and that they understand the potential data consequences.

And finally, nothing will decrease the likelihood of data breaches like a good Chief Information Security Officer (CISO). If your organization has grown to the point where data security is a concern that you can't handle alone, there's no better advice we can give you than to invest in one.

Dan Virgillito
Dan Virgillito

Dan Virgillito is a blogger and content strategist with experience in cyber security, social media and tech news.