Insider Threats in the Time of COVID-19
April 29, 2020—For most organizations, business is anything but usual during the COVID-19 pandemic. Quarantining and closures have upended normal operations for nearly every organization and driven some out of business. Many workers still on the job have swapped their offices for living rooms. According to Randy Trzeciak, acting deputy director of risk and resilience in the SEI's CERT Division and director of the CERT National Insider Threat Center, this unprecedented operational climate has increased risk factors for insider incidents, but there are steps organizations can take to safeguard their critical assets.
Social distancing and other requirements to stem the spread of coronavirus have forced many organizations to transition from on-premises to remote operation. In a matter of days, organizations had to scramble to provision enough managed laptops, VPN licenses, and other IT infrastructure to support a distributed workforce. Trzeciak advises that technical security measures, such as perimeter defense and monitoring for the connection of personal devices to enterprise assets, are more important now than ever. "Sound IT principles are the foundation of all security," says Trzeciak, "and that would go a long way toward preventing insiders from causing harm as well."
Trzeciak says organizations should be extra vigilant against unintentional insider incidents. "Most organizations never experience a large-scale, malicious insider incident," says Trzeciak. "But many of them regularly experience some accidental or non-malicious incidents, most of which may be documented as a security incident or a policy violation. It’s up to the organization to prevent harm from the policy violations and the more significant insider incidents as well."
According to CERT research, distraction is the key ingredient in unintentional insider incidents. Distracted workers are more likely to make mistakes that can endanger an organization, such as failing to use their company's VPN or clicking on phishing links in email. For many office workers forced to work from home by social distancing requirements, distractions abound: children, shared working spaces, and all the routine needs of quarantining families.
"Remote work and personal challenges can be stressors," says Trzeciak. "Job uncertainty could definitely increase an individual's stress, which may lead to more accidental insider incidents, though it's very unlikely to significantly increase the number of malicious insider incidents."
The most likely tipping point for a predisposed employee to decide to do harm is a negative employment action: denial of a promotion, failure to receive a pay increase or bonus, a pay cut, censure, or termination. Unemployment is at a historic high in the United States, as companies tighten their belts, furlough or lay off workers, or close completely in the face of dwindling business. Even people who remain employed may have to cut back their hours to care for elderly relatives or newly home-bound children. “Those individuals who have a significant financial stress or need may decide to commit fraud against the organization,” says Trzeciak.
NITC research indicates that fraud for financial gain is the most common type of insider incident, though it could also take the form of intellectual property (IP) theft, IT sabotage, and espionage. Trzeciak emphasizes that those with certain behavioral predispositions are more likely than others to act with intent to harm their employer.
Trzeciak reminds organizations to work with their general counsel and human resources departments to develop insider risk policies, but that there are things organizations can do to mitigate the risk of an insider incident during the COVID-19 pandemic.
- Where permissible, look for stress factors in employees’ lives, such as bankruptcy.
- Where possible, look for behavioral risk indicators, which usually precede the technical risk indicators.
- Use perimeter protection, such as filtering for malicious email.
- Train users to recognize phishing.
- Implement defense in depth, for example, to block software installation without the IT department’s permission or block executables if employees do click on a phishing link.
- Monitor for data leaving the enterprise.
- Incentivize positive behaviors by enabling employees to own their careers, such as with training opportunities and professional development.
- Connect coworkers to each other.
The CERT Division of the SEI has many resources with more information on insider threat:
- Common Sense Guide to Mitigating Insider Threats, Sixth Edition, especially practices 5, 8, 9, 12, 13, 19, and 21.
- Unintentional Insider Threats: A Foundational Study
- The Critical Role of Positive Incentives for Reducing Insider Threats
- Navigating the Insider Threat Tool Landscape: Low-Cost Technical Solutions to Jump-Start an Insider Threat Program
- Analytic Approaches to Detect Insider Threats
- The Insider Threat Blog, especially "Maturing Your Insider Threat Program into an Insider Risk Management Program," "Anti-Phishing Training: Is It Working? Is It Worth It?," and "4 Technical Methods for Improving Phishing Defense"
See the collection at https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=638967.