Risk management strategies must address “insider threats”: report

While nearly two thirds of Canadian organizations included in a recent survey say they’re prepared to handle “insider threats,” only about one in seven have a specific internal definition of what those threats could be, according to a report from the Conference Board of Canada.

An insider threat is “any person who has the potential to harm an organizations for which they have inside knowledge or access,” according to the report, Preventing, Mitigating, and Managing Insider Threats.

That person could have a negative impact on an organization’s reputation, financial results, business continuity and other aspects of the business, the Conference Board suggests, adding that addressing insider threats should be included in organizations’ overall risk management strategies.

Still, only 14% of organizations surveyed have a specific working definition of insider threat, according to the report, which included survey responses from executives at 115 organizations.

Further, only about 19% said they have employee training on managing internal threats, according to the Conference Board.

Despite the lack of a clear definition, 65% of organizations included in the survey still said they could handle most insider threats, the report notes.

Privacy and information breaches were seen as the most significant threats (by 94% of respondents), followed by workplace violence (67%); fraud (58%); and theft/loss/damage (53%), according to the report.

“Malicious actions or unintended mistakes on the part of employees, contractors, and other insiders will always represent potential threats to organizations,” Satyamoorthy Kabilan, director of the Conference Board’s National Security and Strategic Foresight team, noted in a statement.

“Managing insider threats begins with understanding the common characteristics of people who could represent a threat,” he said. “The key to prevention lies in determining whether the desire for validation is so strong that individuals will resort to inappropriate acts if they believe that they are not receiving the recognition or entitlement they expect.”

The Conference Board offers these steps for organizations looking to manage insider threats:

• Determine their risk tolerance for loss, damage, or disruption;
• Determine how the “insider threat” is defined across different internal management areas and departments;
• Change their focus from responding to insider threat incidents to preventing insider threat incidents;
• Provide employees with regular training on insider threats;
• Place more emphasis on identifying insider threat behaviours;
• Encourage ongoing communication between the organization and its employees;
• Develop clear policies around employee surveillance strategies;
• Clearly articulate roles and responsibilities for identifying and managing insider threats across the organization;
• Conduct more interdepartmental outreach to capture the insights of managers from different disciplines on responding to insider threat issues;
• Require interdepartmental insider threat teams to establish formal meeting times, practices, and procedures.

The full report is available for purchase on the Conference Board of Canada website.