Spotting The Difference Between Insider Risk and Insider Threat

Differentiating insider risk from insider threat: Learn the nuances to enhance cybersecurity. Understand how to identify and address potential vulnerabilities posed by internal actors.

By
Elizabeth Harz
-
Insider Threat

In 2023, 44% of remote workers say they are working more than the year before, with one in five feeling burnt out. What’s more, many cite loneliness and staying motivated as key issues with working at home. Consider a few realistic use cases in today’s work environment – the work-from-home engineer who starts to resent their company and emails product designs to a competitor undetected, the customer service agent who feels that they are underpaid and creates a fake customer account to steal from their company, or the consultant who accesses sensitive customer data to resell on the black market.

With these statistics in mind, it is no surprise that remote workers present several security issues. Not only are many feeling stressed, but they are also using home computers, accessing sensitive information from outside the network, and are able to do a lot of things away from the eyes of a manager. Take a common scenario – a disgruntled employee who is looking for another job. When in an office, it’s easier to spot someone who is unhappy, and they are less likely to act out against the company. 

Insider threats cost companies big money and working from home has made it worse. A recent study by IBM shows that the average instance costs companies $4.35M and that companies with remote workers have an average breach cost of about $1m higher than that. 

It’s enough to make any security professional want to require everyone to come back into the office. However, the reality isn’t that simple. To remain competitive, many companies believe they have to offer flexibility, and many valuable employees are perfectly trustworthy working at home and may leave if they are required back in the office full time. A better approach is to stop thinking in terms of threats and start thinking in terms of risk.

With insider risk management, companies can get ahead of potential problems, spot issues before they become costly, and create a more positive work culture. 

 Understanding Threats vs. Risks

The difference between a threat and a risk is relatively simple. A threat is an immediate problem. A risk is a circumstance that has the possibility of becoming a threat. 

Common threats:

  • Data breach 
  • Intellectual property theft
  • Embezzlement and fraud

Companies that spend time managing threats are coming to the house after it’s already on fire. “Firefighting” is costly and damaging for the organization. By focusing on threats, security teams have no strategic leverage and often spend their time cleaning up after a problem instead of getting ahead of one before it becomes much more damaging and costly.

In today’s remote world, there are more risks, but they are often harder to spot:

  • A disgruntled employee with access to sensitive company data gives a two-week notice. 
  • A senior engineer who created valuable IP for his company is leaving to join a competitor.
  • Employees of an outsourced call center that processes payments, refunds, and other financial data. 
  • A highly engaged and productive employee who is suddenly showing extensive idle time on her computer. 
  • Wholesale buyers make lucrative contract decisions with vendors around the globe. 

Spotting these risks when people work in an office on the other side of the globe, or at home is much more difficult. The extra work is worth the effort. Security teams that gain leverage and spend more time understanding signals that may indicate a problem and using those signals to improve and become proactive instead of reactive. 

 A New Approach to Move from Threats to Risks

The main change that must occur in the organization to move from threat to risk is to start looking for new signals that indicate potential problems. This requires a different timeline and there is a transition period required to build up a benchmark where risks can be compared.

With analytics in place, companies can start to understand two things: First, the “ new normal” rhythms of employees working wherever they are, and second, obvious areas where security can be improved. Then over time, more issues can be identified. 

There are three basic phases to implementing risk management

Phase One – Creating a “New Normal” Baseline: Companies implement monitoring software and start measuring activity such as who accesses sensitive information, positive and negative tones of communication, schedules, and idle time. With this information, it’s possible to create a baseline understanding of normal activity. Some people at home might keep odd hours for a good reason, perhaps because they have small children and take time off in the afternoon, but then get back to work after dinner. With analytics software in place, it’s possible to start understanding those schedules more effectively.

Phase Two – Closing Holes: With the baseline in place, it’s immediately possible to assess if there are clear risks to be fixed before they become threats. For example, if many people are accessing important data remotely when network security is still configured only for workers in the office, it might make sense to limit access. If a lot of employees are using their own devices, companies might implement stronger passwords or new software to secure company documents and information.

Phase Three – Ongoing Risk Management: Once the first wave of risks is accounted for, risk managers can use reporting to detect any new changes from the baseline. Perhaps someone starts logging in from a different device, or they start having a more negative tone in their emails. These risk indicators can be used to create a more proactive approach.

The Upside of Risk Management
Threats are not only costly in their own right, but they can also hurt company morale and contribute to a distrustful work culture – and that can be a big problem when remote work already makes it harder to create a positive culture. Having technology that enables risk management allows for a safer and more productive workforce. People want to feel that they are trusted, and in fact, pose less of a risk if they are in a positive work environment – even people who work from home.

Moving to risk management instead of threat management can create a much more positive work culture. When someone is flagged as a risk, there is time for a manager to reach out and have a proactive conversation. Perhaps someone is rightfully unhappy about something that can be fixed, or a policy can be changed to reduce access to sensitive information before a threat emerges. 

A company focused on risk management is a company focused on creating a better work environment, not just a more secure one.

Discover the full potential of your Hrtech strategy with our comprehensive Hrtech News and Hrtech Interviews.

Want to Contribute? CLICK HERE To Submit Your Guest Post and Join Our Community of Writers!!!

 

ABOUT THE AUTHOR

Elizabeth Harz

CEO of Veriato

Elizabeth Hard is the CEO of Veriato. Veriato is leading provider of Insider risk management and productivity monitoring solutions, helping bussinesses monitor and analyze remote, hybrid and on-site workforce activity to boost productivity and to prevent insider risk.

RELATED ARTICLESMORE FROM AUTHOR