It likely won’t come as a surprise to most companies that a time of significant disruption and change, like the COVID-19 crisis, can heighten organizational risk, not only externally but also internally. With many companies having made the shift to remote work at the start of the pandemic, and that trend likely to continue for the foreseeable future, the likelihood of cyber and technological threats from employees themselves has increased significantly.
Large-scale remote work has significantly reduced organizations’ visibility into the digital and interpersonal behavior of their workforces. It has also hampered their ability to detect, investigate, and resolve potential issues. For employees under stress or predisposed to acting in ways that are harmful to the business, this provides the time, space, and tacit license to do things they otherwise would or could not. Additionally, the workforce is one of the most reliable channels for reporting troubling employee behavior, so the current absence of workplace interaction has made it far less likely that leads will be reported. And with many workforces remaining remote in the long term, the cyber threats posed by company insiders may be a reality that companies will have to contend with in the long term.
There are several internal risks and threats that companies should be aware of and consistently monitor for, during this time.
One such potential risk from within an organization is the possibility of extortion. Policies and processes around information and technology have, out of necessity, been adjusted to facilitate greater remote functionality at scale. At the same time, centralized security monitoring and analysis teams have had to pivot to maintain their visibility into user and network activity. Under such circumstances, user behavior issues and “shadow IT” have emerged at many organizations. For example, a software developer or database administrator may think, "I am an essential employee in this business and my work can't afford to be affected by these restrictions" and download an unvetted application. This could trigger a widespread ransomware infection that takes the business offline for days and leads to the company paying millions in extortion money.
Remote work has also increased the possibility of fraud. As businesses face significant financial challenges, managers are under significant pressure to protect jobs and meet business targets. Such thinking may encourage management to take advantage of limited oversight and outdated technical controls to misrepresent the financial health of a business. The potential for employees to internalize these stressors and foster resentment towards their company or organization is at an all-time high. As businesses strive to resume operations, they must consider the critical pressures on employees operating in a prolonged period of turmoil and dealing with a potential confluence of financial, professional, and personal pressures.
As these stressors are heightened in a remote work environment, it can be more difficult for companies to monitor for and manage threats of violence being communicated online. Since many companies have significant visibility into what their employees are doing on a day-to-day basis, it’s critical that business leaders involve employees in insider threat assessments while they are not working together in a physical office space. Doing so now is crucial: These assessments will keep employees engaged while giving the business an opportunity to monitor employee sentiment and encouraging employees to come forward with any potential risks or possible threats.
Historically, businesses have been hesitant to conduct internal and external risk assessments due to fear of the unknown or fear of organizational disruption. Yet, change is disruptive, and to prepare for potential insider threats, businesses must conduct internal assessments to address those threats lying in wait. This first step is acknowledging that the impact of the pandemic will be long-lasting and that institutionalizing many of these practices is key.
There are several best practices that businesses should take into consideration when institutionalizing insider threat practices.
The first step is data management. Companies must implement digital transformation initiatives no matter what the work environment looks like. Company data is at risk when employees are working on their personal computers. In order to protect company data, businesses can provide their employees with company computers to use for work. While providing employees with company computers is costly, it is the most protective measure when monitoring for insider threats with employees working from home.
For those organizations that can’t afford computers for every employee or those who want to save on costs, there is the option of moving all (or most) data to the cloud. During a crisis, like the COVID-19 pandemic, data management is critical to business resumption and survival.
As organizations focus on resiliency – and understanding what that means in a largely remote landscape – managing insider risks and threats deserves a coordinated multi-disciplinary approach based on risk, led by professional staff, and enhanced by technology. As the COVID-19 crisis continues, there will be greater stress on organizational resiliency and a higher potential for economic repercussions. Business leaders and executives must have a plan in place to handle potential threats as a result of prolonged remote work.
Managing insider risk at enterprise scale is a complicated task fraught with pitfalls. The human factor is complex and ambiguous, and the consequences of getting it wrong can quickly corrode corporate culture. Although insiders can present a broad range of risk types, effective organizational responses can be commonly applied across a company and should be collaborative.
Though many of these threats are technical in nature, managing such insider risk should involve a coordinated, multidisciplinary approach that is based on risk, led by professional staff, and enhanced by technology. Above all else, however, the approach must be emotionally intelligent. Regardless of sector or size, an organization’s most valuable asset — and its most vulnerable — is its human capital.
About the authors:
Michael Rohrs is a Principal at Control Risks and leads Control Risks’ cyber consulting practice in the Americas. Based in Washington, D.C., Michael has extensive experience in global information and technology risk, cybersecurity, crisis management, incident response, intelligence and geopolitical analysis.
Michael Zimmern is a Partner at Control Risks and leads the investigations and forensic accounting practice for Control Risks in EMEA. As a qualified chartered accountant with more than 15 years of forensics experience, Michael advises clients on regulatory, reputational and financial issues.
Andy Cox is a partner in Control Risks’ Crisis and Security Consulting practice. Andy delivers risk consulting services and business protection advice to Control Risks’ clients across Europe and Africa. Andy has experience in advising a wide range of clients across a broad spectrum of business sectors and has delivered security transformation programs as well as corporate and operational security, business continuity and crisis management services.