COVID-19 and the Insider Threat

Even if you are not in IT, you have probably heard the term “insider threat.”  To refresh your memory, Wikipedia defines “insider threat” as “a malicious threat to an organization that comes from people within the organization, such as employees, former employees, contractors or business associates, who have inside information concerning the organization's security practices, data and computer systems.” 

It is easy to think that an insider threat is someone who might be a plant by an entity that wishes harm to the organization.  It could be a nation-state, a radical environmental group, or just your daily anarchist.  However, the insider threat is usually some well-meaning employee doing the wrong thing to save time or to circumvent security protocols. Their intentions are not malicious but can cause as much damage as a malicious attack.

Education of employees and adherence to the IT protocols are paramount to mitigate any damages caused by well-meaning-but-irresponsible-employee.  And this was the way teleworking was done. Then 2020 happened.

In March, your security departments and HR departments started to open up their pandemic planning manuals.  People were going to work from home for a while—many people.  Even if your pandemic planning manuals addressed teleworking, it probably didn't address something on a scale of every office employee working from home. It didn't address SCADA operators having to access the system from a remote location.  And I am sure it didn't take into consideration the cybersecurity issues that COVID-19 has spotlighted.

Speaking from experience, I saw my spouse having to work from home for the first time in a 30 year career this past March.  I've worked from home as needed when I worked at AFPM and have done so fulltime since starting Loyal Dog Consulting.  My spouse, and their company, lost their minds during the first two weeks of telecommuting.  Their company never had a telework policy.  I was proactive and set up another WiFi network just for them.  But I saw them cursing at the long lag times to get into the system, the need for passwords to access anything.  And then there was "two-factor authentication" which no one understood.  The entire company  was flying by the seat of their pants.

My spouse told me that a coworker came up with a workaround to access confidential files offline and without credentials. As someone who has worked in cybersecurity since 2005, this caused me to shutter.  But then I thought, how many thousands of people are doing this now?

And I am sure that it happened at your office too.

As humans, we want the easiest and fastest way to a goal. When your company introduces concepts such as Virtual Private Networks (VPNs), two-factor authentication, and security protocols, some will see these actions as roadblocks to achieving a goal with ease.  Even if this goal is to access a file from a network drive.

The "bad guys" (hackers) have taken advantage of this during the COVID-19 crisis.  Yes, hackers are taking advantage of consumers during this crisis. Hackers have also targeted corporations.  The amount of ransomware attacks has grown as have other attacks on networks.  Skybox Security stated in July, 2020, that ransomware attacks grew by 72% during the pandemic, while mobile vulnerabilities grew by 50% during the same time[1].  The hackers are using frustrated employees as a conduit to corporate networks.  And these are your new insider threats.

So what can a company like yours do?  The good news is that the proverbial horse has not left the barn yet.  The bad news is that the horse is heading that way.  One bright spot for the ONG community is it had to deal with Hurricane Harvey. Thus, the ONG industry had a preview of this situation.  It needs to work from lessons learned during that time. But not all readers of this article have that advantage.

If your company does not have a telework policy, it needs to develop one now!  My spouse’s company had their HR and IT departments put together a patchwork of protocols.  It is not ideal, but it is a band-aid for the time being.

Your HR, IT, and Legal departments need to work as a team to develop a policiy that addresses employees first.  Many people on this team will understand the frustration of trying to telecommute, which is a good thing when it comes to planning a telework policy.

Security must always trump convenience.  But security should not be so overbearing that it will cause employees to search for shortcuts.  Your team must address the facts that employees might be working from personal computers, working in an area that is not conducive to the level of production as their office was, plus they have to compete with spouses and kids for WiFi bandwidth. With some places reopening, your employee might be working from an outdoor café or even a library. Your company needs to ask itself if it is necessary to access confidential files on-line.  Can payroll be secure from an off-site location?  Can an operator reset an alarm from their home computer?  And while the future will have plenty of case studies on cybersecurity in 2020, you need answers now. 

My firm has heard from many suppliers who seem to have the answer to security issues in this age of COVID-19.  My question to them is always about scalability.  What works with HQ on Louisiana Street, might not work with the supplier in St. Cloud.  The right supplier will know that scalability is vital.

I can’t advise anyone on how to deal with telework, file security, and all the other issues that 2020 has thrown at corporate America.  What I can say is this is an opportune time to be inventive.  To think outside the box.  To be proactive in planning for future issues. 

COVID-19 might not be Armageddon.  But, if you underestimate the situation, you could be in a world of pain. You’re probably like my spouse’s company, flying by the seat of your pants. Most companies are flying by the seat of their pants, as they have never had most of their employees teleworking before. You need to keep the plane level, make sure everyone’s seat belts are fastened, and avoid the “missiles” that hackers might try to launch.  And take notes!  Build on lessons you are learning in 2020. You will have a great case study for future employees!

 

[1] https://markets.businessinsider.com/news/stocks/covid-19-pandemic-sparks-72-ransomware-growth-mobile-vulnerabilities-grow-50-1029413191#

Comments

{{ error }}
{{ comment.comment.Name }} • {{ comment.timeAgo }}
{{ comment.comment.Text }}