1. The Lawyer | 14 November 2016 5
Risk strategy
BRIEFING:
Security
Unsurprisingly, the topic of InsiderThreat is an unpalata-
ble topic for most businesses, as the natural tendency is to
assume that our colleagues do not wish to cause the organi-
sation harm.While this may have been the case historically,
digital innovation and the interconnected world expose tan-
gible and intangible assets in a way never experienced before.
Numerous incidents of employees causing harm from
within have been recorded ranging from the theft of intel-
lectual property, the compromise of trade secrets and the
misappropriation of financial assets to technology sabotage
and beyond. Of these incidents, some have been deemed
accidental while others have been intentional and attrib-
uted to full-time members of staff. In fact, the UK Centre
for the Protection of National Infrastructure conducted
research in 2013 and found that an Insider act was 88 per
cent more likely to be carried out by a headcount member
of staff, citing the two most frequent types of Insider activity
as unauthorised disclosure of sensitive information (47 per
cent) and process corruption (42 per cent). Indeed, the EU
Agency for Network and Information Security reported in
August this year that the most expensive attacks are those
orchestrated by an Insider and this appears to be accurate
considering that the estimated cost of intellectual property
and trade secret compromise by the Detica Report on the
Cost of Cybercrime in 2011 is £9.2bn per year.With mean-
ingful, peer-reviewed data becoming available regarding the
theft, compromise and loss of organisations’ crown jewels,
there is arguably a greater requirement than ever for business
leaders to mitigate InsiderThreat as part of their enterprise
risk strategy, to secure their market reputation, protect their
brand and remain competitive.
The cost
Protection of assets should not be cost-prohibitive.There is a
balance between business enablement and business protec-
tion. Consideration of the threat posed to an enterprise’s
crown jewels is based on knowing what they are and who has
access.Whether digital or physical, trade secrets are hugely
valuable and must be protected from internal compromise,
particularly as they have no dedicated protection in criminal
law in many jurisdictions.
InsiderThreat is not a technology problem; while systems
may be used to compromise or steal, the risk is a business
issue and so to appreciate other mitigation strategies we need
to consider how threat is calculated and its relationship to
risk scoring methodology.
The severity of threat is calculated based on the relation-
ship between the intent of the individual to cause harm and
their capability to do so.The challenge is one of control.
Once emails and documents leave the environment, the
organisation no longer has control over how they are used.
Now consider that the organisation has so many incidents of
accidental behaviours that the ability to identify the nefarious
actors is too great.This where we consider the relationship
between threat and risk.When considering risk, practitioners
would take the threat score and look at the likelihood the
threat can occur and what harm would be caused if it did.To
conduct an objective assessment of risk from an Insider act,
an organisation needs to have a clear picture of its control
environment; in essence a maturity assessment of its controls
landscape through an Insider Risk lens.
To establish whether your business is exposed, consider
the following:
LL Does senior leadership endorse and develop policies that
address the risk of Insider threat?
LL Does your organisation leverage information security and
corporate security programmes to identify and understand
critical assets?
LL Are analytical platforms used to detect possible Insider
Threats?
LL Is screening of employees and vendors performed regu-
larly, especially personnel who have access to critical assets?
LL Are there clearly defined consequence management
processes so all incidents are handled following uniform
standards?
LL Is there a training curriculum to generate awareness
about InsiderThreats and the related risks?
Assessing the status of an organisation’s risk from an
Insider act in relation to the compromise of intellectual
property and trade secrets will provide knowledge of
which controls need to be deployed/reviewed. A risk-based
approach will also ensure cost-effectiveness. Monitoring data
flow in an automated and anonymous way, in parallel with
robust security protocols, will minimise the likelihood of
crown jewels being lost, ultimately protecting the organisa-
tion’s pipeline and competitiveness while meeting regulatory
and data privacy requirements.
EY
1 More London Place,
London SE1 2A
Tel: +44 (0)207 951 2000
E-mail: rfell@uk.ey.com
Web: www.ey.com
Understanding the Insider
Threat to your organisation
In the digital age organisations must learn to protect their assets from theft,
sabotage and compromise – even by their own employees
By Rowena Fell,
director - fraud
investigation &
dispute services, EY