As employees work from home, companies are more at risk of ‘insider threats’

A commentary.

Many companies have been observing a work-from-home arrangement since mid-March when the government implemented a strict lockdown of areas in an effort to contain the spread of the coronavirus 2019 disease. With a segment of the Filipino workforce engaging in remote work, their susceptibility to cyberattacks and cybercrime are also on the rise. 

Employees now have remote access to company’s confidential and proprietary data from the comfort of their homes, and companies are at risk from “insider threats.” 

An insider threat is an employee or contractor that uses their authorized access to wittingly or unwittingly inflict damage to the organization through malicious exploitation, theft or destruction of data, or compromising information and communications technology systems and devices.

A study recently published by Ponemom Institute claims that insider threats cost companies $11.45 million globally. Insider threats generally fall under three classifications: careless or negligent employees or contractors; a criminal or malicious insider; or a credential thief. Negligence of employee or contractor take the largest percentage of insider threats at 63%. Criminal and malicious insiders come in second at 23% while credential thieves hold the last spot with 13%.

As the workplace shifts into the confines of personal homes, employees are given remote access to critical data with far less oversight. Whether one attributes it to a human error or an employee or contractor with malicious intent, the proliferation of insider threats under the present conditions grows in likelihood. The potential lack of robust planning, clear implementation and impact evaluation of out-of-office arrangements could lead to billions in monetary losses or reputational damages. 

Remote employees are exposed to networks or devices that do not possess a high level of security defenses. Targeted attacks can exploit home networks with low-security protocols and exploit employees’ access to cloud services. The increasing use of third-party applications such as Zoom for online meetings also poses significant risks. Recently, GoNegosyo, a local business advocacy group was targeted by Zoom-bombers, a group known to disrupt video conferencing on the online platform.

The Department of Information and Communications Technology also warned users about the rise of COVID-19-themed phishing scams. Phishing emails could be exploited by cybercriminals especially to those who are working from home. The possible use of company-issued laptops or smartphones for personal purposes may expose employees to unsecured content or websites. These could infect devices with malware or virus that could compromise personal identifiable information and reputational data that belong to the company. Phishing attacks can also smear employees to enter into fraudulent business transactions. Cybercriminals can prey on these malicious activities to extort organizations to pay ransomware to maintain business continuity.

The economic uncertainty amid COVID-19 poses significant mental and emotional stress on employees. Competitors could manipulate vulnerable and distressed personnel to steal proprietary data for personal gains. The anxiety or frustration of the current pandemic crisis could spike the number of inadvertent behaviors and actions from distracted employees in moving or sharing credential data without securing their endpoints.

 There is a suite of fundamental technical interventions—Virtual Private Network, Anti-malware software; Multi-factor Authentication—which companies have put into place to keep the integrity and security of employees engaged in remote work. Some large organizations have also scaled their cybersecurity efforts to monitor and mitigate cyber incidents. 

Above all these, the work-from-home set-up shows that the human factor remains to be the weakest link in cybersecurity. Addressing these emerging challenges requires a holistic organizational approach that situates the “human dimension” front and center.

The fundamental steps to insider threat mitigation begin with fostering awareness through understanding proper cyber hygiene. Rather than relying on broad cyber hygiene prescriptions, companies must develop guidelines akin to the current user environment. A good starting reference would be the Security for Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Solutions developed by the U.S. National Institute of Standards and Technology (NIST). The NIST bulletin encourages companies to undertake “risk-based decisions” in providing remote access to devices issued to employees. As company-issued devices are put at a greater risk outside the premises of the enterprise network security, encryption of sensitive data stored or processed in company laptops, tablets, or smartphones is highly recommended.

A tiered approach must also be applied in reviewing the level of access that each employee has toward critical information. This entails assessing, monitoring and removing potential overprivileged users. Companies may explore Identity and Access Management or Privileged Access Management to maintain transparency and accountability of employees accessing sensitive data remotely.

The type of leadership within the organization is a key determining factor in the success of transforming the overall cybersecurity culture. Putting the seal of management support breaks down the silo of viewing cybersecurity from the limited technical lens of the ICT department. This reorients cybersecurity as a shared responsibility of every stakeholder in the organization. The top echelon and middle management must use their position of influence in sharing insights on threat intelligence and best practices among their employees. These engagement opportunities must also be utilized by the corporate management to foster trust and unity within the organization given the uncertainty in the global economy.

Incentivizing the adoption of credible cyber hygiene initiatives can also be a vital pathway in cultivating a high-impact security environment in the short-to-medium-term. On top of enforcement or compliance policies, incentive mechanisms reinforce positive behavior. This could act as a barometer in gauging employees’ application of security protocols, and at the same time paving the way in rethinking strategies to ignite sustainable behavioral change.

Cultivating cybersecurity awareness to combat increasing cyber threats and vulnerabilities will have far-reaching implications. Beyond the financial costs that companies incur in light of cyberattacks or associated human errors, the erosion of public trust and decline in consumer confidence is unquantifiable and irreversible. As organizations navigate the “new normal,” it is recommended that they heighten their vigilance against cybercriminals and malicious actors. Now more than ever, a strong and robust cybersecurity culture centered on the aspect of the human agency must be the top priority to boost the organization’s immunity against its own insider threats.

Mark Manantan is a visiting fellow at the East-West Center in Washington D.C., and the Center for Rule-Making Strategies, Tama University in Tokyo, Japan under the U.S.-Japan-Southeast Asia Partnership in a Dynamic Asia Fellowship. He is also a non-resident fellow at Center for Southeast Asian Studies at the National Chengchi University in Taiwan and the founder and strategic director of Bryman Media.