From time immemorial it has been considered improper to include veiled threats towards trusted employees in an effort to dissuade them from considering complicity in criminal activity. But reliance on technical security is no longer an acceptable approach to mitigating the risk of insider breaches, whether or not they arise from human error or corrupt individuals.

The telecom, healthcare and finance sectors are experiencing this situation first-hand, with criminals actively reaching in to recruit employees who possess desirable access privileges. As last week’s Reddit breach demonstrated, even companies with security safeguards previously considered to be adequate are being successfully breached using methods that exploit the human element, in arbitrary locations within the supply chain.

With the prevalence of multifactor authentication and strong technical safeguards, recruiting insiders and socially engineering employees is now the norm. Companies need to directly address the issue of controlling insider activity and educate themselves to understand the fact that a vast diversity of distinct threats actually share common and readily understood motivations.

According to this Motherboard article, “hundreds of people across the US have had their cellphone number hijacked in this so-called ‘Port Out Scam.’ Victims have had their emails and social media accounts hacked, and sometimes lost hundreds of thousands of dollars.” There are organized crime gangs making millions of dollars doing this and it often starts with a simple question:

do you wanna make some money?

The fact is that insider breaches are complex situations that can arise from lack of employee awareness just as well as sophisticated social engineering. The real question that businesses of all sizes now face is whether their security programs strongly enforce monitoring practices.

Think about the policies and procedures in place in your organization and consider the following:

  1. are those safeguards sufficient to prevent a data breach if the employee were influenced to click a malicious link or share a password?
  2. is sufficient logging and monitoring in place to ensure that corrupt individuals can be investigated and identified?
  3. are sufficient examples communicated to ensure that employees understand the adverse scenarios that can unfold and how they need to report suspicious activity?

I occasionally consult with companies that offer various explanations for inadequately addressing insider threats. My favorite remains this one: “we don’t talk to them about it because it may give them <bad> ideas. They have too much access as it is.”

Threats evolve. Don’t expose your company to unnecessary risk because of inadequate security leadership or a perceived difficulty to strike the right tone in your communications. Good security training is not hard, but it’s also not optional.

— Claudiu

*this content is available as a management presentation or keynote address.

**this article was also featured on LinkedIN.