The idea of an “insider threat” is becoming a key issue in companies’ business risk management, and data privacy requirements have a significant impact on the mitigation measures companies can take against inadvertent and malicious threats. While organizations are fundamentally interested in mitigating insider threat-related risks to information security, IT and compliance professionals must be aware of competing legal requirements and compliance issues to be able to effectively mitigate those risks.
What is an insider threat?
Organizations regularly prepare themselves to protect their assets from physical or logical threats originating in the outside world. However, critical assets also must be protected from negligent and/or malicious employees, contractors, third parties and attackers, or “inside” threats.
Research suggests that a large portion of data breaches are not detected for months or years and that managing negligence-driven data breaches generates the most total cost per annum, while credential theft is the most expensive type of insider threat to address per unit (Verizon Insider Threat Report, 2018). Cost factors include: operating and maintaining monitoring and surveillance tools and IT systems; the data breach management process, including containment, incident response and restoration of assets to their original value; internal investigations; and legal fees. Indirect costs or losses may involve more intangible matters, like loss of intellectual property, loss of reputation, business disruption, churn of clients or workforce fluctuation.
Is user monitoring the way to go?
Risk management best practice suggests the risks related to insider threats must be addressed on multiple levels, in each of the human resources, processes and technology domains.
HR-related controls play a significant role, including vetting/background checks, execution of nondisclosure agreements, including during the hiring process, and active use of job descriptions in line with â€œneed-to-knowâ€� requirements.
Processes can include: mandatory leaves; job rotations; the enforcement of â€œleast privilegesâ€� and â€œneed-to-knowâ€� principles; segregation of duties; and implementing â€œfour-eyeâ€� controls â€” that is, requiring at least two people to sign off on any given activity â€” into approval procedures.
Technology must support the effectiveness of the HR and process controls. According to Gartner, three categories of advanced insider threat detection technology have emerged: stand-alone user and entity behavior analytics products; endpoint-based employee monitoring products; and data-centric audit and protection solutions.
UEBA products profile users based on their regular behavior to detect anomalies. Endpoint-based employee monitoring tools provide the most details, including a video record of user activities. DCAP solutions promise real-time activity monitoring. The further advancement of these solutions will include more detailed surveillance and the application of machine learning and an artificial intelligence system to evaluate whether user intent is malicious or simply negligent.
The management of insider threat risks is difficult and requires significant organizational effort. Current best practices for implementing HR, process and technology controls are summarized below.
Vetting and background checks
While vetting and background checks may be common practice, jurisdictions permit various levels of research into a job applicantâ€™s credentials. Broad background screenings may cause discrimination issues or raise data quality issues regarding the accuracy of information collected from third parties and other unverified sources. In terms of the EU General Data Protection Regulation, it may be disproportionate to conduct internet searches on the applicant, to record information on social networking sites or to contact third parties or educational institutions regarding the prospectâ€™s credentials.
Nondisclosure agreement usage
Job contracts usually include an NDA, but in case of sensitive jobs, the organization might consider requiring an NDA to be signed when the candidate submits her application (this may involve the need to develop or use an external HR portal). Interviewers should be trained not to disclose any confidential information during the application process.
Regular data protection and cybersecurity awareness training is part of the organizational measures that address the management of privacy related risks, such as the identification and reporting of data and IT security events. Such training should be part of the on-boarding process and be repeated at regular intervals with its completion duly documented for data protection accountability purposes. Specialized training may be necessary for different company functions, such as procurement, accounting, customer service, HR, marketing, IT and legal.
Exit processes should also focus on making sure that access to company information and systems, including non-centralized legacy systems, is timely and comprehensively revoked. This also applies to employees taking long-term (e.g., maternity) leave or to those changing departments or job responsibilities.
Acceptable use and monitoring
Internal policies addressing requirements relative to the use of company equipment, devices and information assets must be in place. While policies must be straightforward and easy-to-follow, they also must meet data protection requirements regarding the monitoring of employee held devices.
Local law requirements may significantly restrict or exclude the interception of employee communications or provide wide confidentiality protection to correspondence. An acceptable use policy restricting the ways in which company networks, systems and company devices may be used and setting uniform guidelines as to how those may be used is strongly recommended.
Organizations may significantly restrict the actual privacy expectations of employees by expressly excluding the private use of company assets. While the company may have a legitimate interest in monitoring the use of company assets and the access to company information assets, this may conflict with the rights and freedoms of employees and third-party users. Advanced insider threat detection technology and similar measures to monitor user activity should be proportionate and gradual to avoid interference with employees’ and third-party usersâ€™ privacy. Real-time monitoring or recording of user activities may constitute a serious breach of privacy. For this reason, one may need carefully to define the cases and the sensitive jobs relative to which real-time monitoring or recording of activities may be proportionate. Data privacy notices to employees, contractors and third-party users must contain information regarding the company’s monitoring and surveillance practices and the means of effective enforcement of individual privacy rights.
Incident management processes
The GDPR requires companies to report a personal data breach to data protection authorities within 72 hours after becoming aware of it. If employees are not able to identify data breach events or are not aware of the relevant reporting channels, the company likely will be unable to show that it acted without undue delay after noticing a breach, making it unable to demonstrate compliance with its GDPR data breach reporting obligations.
Disciplinary processes and prosecution
Organizations must be able to provide that their processes ensure enforcement of the breach of privacy obligations. This means that a deliberate breach of personal data must be subject to disciplinary processes and further locally permitted legal measures.
In summary, the GDPRâ€™s accountability requirement makes organizations responsible for their privacy compliant operations and requires them to demonstrate the effectiveness of their relevant processes. Privacy compliant operations will raise employee awareness of critical information and responsibilities, and documented and continually improved processes help companies to minimize their insider threat exposure. However, companies must be aware that they may face various challenges when trying to implement uniform processes across several jurisdictions because the GDPR provides broad authorization to member states to regulate data processing in the context of employment.