A lot of practices are learning how to manage hackers or malware, but no many have a plan for insider threat management. This means there is no plan for attacks that come from within the company walls. Whether malicious or accidental, insider attacks can leave your practice feeling vulnerable and eager to prevent future incidents. If you read a recent blog by activtrak on 2019 insider threat stats, then you saw the potential damage that insider attacks can have on a company’s operations, brand and bottom line. While costly and disruptive to repair many insider attacks can be prevented with an adequate plan. As we wrap up 2019, we can assess existing insider threat protocol and put together a 2020 plan to increase security, ensure employee training and prevent attacks. In the following sections, we’ve broken down some areas that should be on your 2020 insider threat program checklist.
Employee Workplace Behavior
There’s no one-size-fits-all plan to prevent insider attacks and a practice’s program needs to be designed to match their unique vulnerabilities and risks. The first step is to evaluate the workplace and create a list of positions that pose the greatest risk, i.e. billing, medical records, front desk, etc. A good way to determine these positions of by their roles. What might immediately come to mind due to their involvement with important data—like accountants, IT directors or executive leadership. But don’t skip over patient assistance members, developers, contractors or third-party vendors who might also pose a risk to data due to their lack of training or ability to build their own backdoor access.
Once you’ve built this list of at-risk roles, start surveying the employees to better understand what activities they carry out in their position that may put your data at risk and how their attitude— disgruntled, negligent, etc—may be a red flag. Even well-meaning employees can cause data incidents due to accidental misuse of USB drives, cloud networks or email. Plan for periodic check-ins in 2020 to monitor employee behavior and respond quickly with corrective training.
A critical aspect of insider threat prevention is just knowing who has access to data. Using your list of at-risk roles, start mapping out what information and data your employees touch. Consider company financial data, customer information, credit card details, big announcements, etc. Think about what each role uses in their daily activities and what data they’re regularly asked to share.
The sharing is where problems typically arrive because employees could inadvertently upload data to public clouds, send unprotected links via Slack or email sensitive information. Although well-meaning, these data-sharing activities are risky. For example, a third-party sales vendor might want easy access to a list of previous various patients and their drug information, so they upload customer info to Google Drive only to later realize that what they uploaded included credit card information and was added to a public folder. Prevent these kinds of incidents in 2020, by using your data-access map to limit any data access that isn’t crucial to an employee’s position.
Just leaving a laptop open and unlocked for a quick lunch break could pose a security risk for your data. But if a practice hasn’t trained an employee on HIPAA or the safe use of workplace assets, how were they supposed to know any better? Organizations need internet and computer usage policies to provide guidelines for employees about proper use and to make them aware of their risky behavior.
Your practice’s 2020 internet usage policy could include the requirement for employees to access company resources over a virtual private network to prevent spyware. Website blocking software might also be part of your internet usage plan to ensure that no valuable data is accidentally shared.
Computer policy might include requiring employees to use multifactor authentication to log in to computers and to set the authentication to time out after a period of inactivity. You might also install software on employee computers to auto-update antivirus software or to make USB ports inactive. Or perhaps your 2020 computer policy will restrict employees from bringing company computers home or using them on public Wifi networks.
Whatever you include in your 2020 internet and computer usage policies, make sure to have an equally robust training schedule and enforcement plan. Round up your whole team and provide background as to why insider threats are a risk and then go through your policies from top to bottom. And keep in mind that one training session might not be enough, so schedule periodic policy checkups to ensure that you’re all on the same page when it comes to insider threat prevention.
Threat Detection Tools
Due to the rapid pace of changing technology, your existing arsenal of insider threat detection tools might not be adequate. In planning for 2020, build in some flexibility for implementing software that’s different than what you currently use. For example, Data Loss Prevention (DLP) software has been the go-to for insider threat management, but it could be ready for replacement. With the growing popularity of remote work, the appearance of cloud-based platforms, and bring-your-own-device programs, DLPs are no longer sustainable solutions due to their inability to provide user behavior insight.
As the risk of insider threats increases with new technologies and ever-changing work environments, prevention and detection are critical for practice security. Analyzing your organization’s current security protocols, workplace behavior and existing software solutions will help you detect vulnerabilities and risks. In developing your 2020 insider threat plan, take a thorough look at how your company operates and build in flexibility such that your plan can adapt and change.