The SANS Institute has recently released a report highlighting the dangers of insider threats for global organisations. The report focuses on the lack of safe guards in place in these organisations to prevent insider attacks. The results of the SANS insider threat survey showed that whilst 40% of respondents said malicious insiders would cause the greatest damage to their business, 45% of respondents admitted they didn’t know the scale of potential losses.
Insider attacks can be split into two categories; malicious insiders and unknowing insiders. Unknowing and accidental insiders are pawns for outsider attackers typically looking to steal confidential data belonging to the company. These attacks are difficult to track and can go unnoticed for months.
The report went on to explain that only 18% of respondents said they had formal incident-response plans that include insider attacks that may take place and 31% of respondents said they have no formal programme in place or preparations to deal with the threats posed by insiders.
Lily Davies says on behalf of the Fraud Defence Group:
This report once again highlights the lack of preparation in preventing, detecting and responding to insider attacks. It is becoming ever more important for organisations to undertake and implement a comprehensive risk assessment which carefully considers the risks which are unique to that organisation and business model. For example, medium to large sized organisations with several hundred employees that have access to the internet and which regularly communicate with external parties will have a different risk profile to a smaller company with fewer employees.
Whilst the risk can never be completely eradicated, careful preparation and effective training of staff is likely to have a huge impact on reducing the possibility of falling victim to an insider attack. In addition to this, ensuring that there are effective prevention, detection and reaction measures will also reduce the potential losses and maximise the chances of recovering those losses.
Martin Shobbrook, a Partner in Mishcon de Reya’s Fraud Defence Group says:
There needs to be a shift in thinking so that businesses no longer shy away from difficult and honest conversations about dealing with insider threats to their operations. Traditionally, companies have been reluctant to take legal action against those who cause the company loss for fear of adverse PR, particularly where it has arisen from the actions of a trusted and senior insider. However, the ever increasing levels of threats, both from within and outside of the organisation, necessitates that firm action is taken against wrongdoers to send a clear message to the work force that such action will not be tolerated. In my experience, this in turn will almost certainly discourage future wrongdoing against the company. The quicker a company responds to an attack, the better its chances of limiting and recovering the losses it may suffer.
It should not be forgotten that directors owe a duty to promote the success of the company and to act in the company’s best interests. Such duties include the obligation to carefully consider the advantages and disadvantages of pursuing wrongdoers and attempting to recover losses. Given the exponential rise in cyber-crime and the increased risk to business of attacks of an electronic nature, acting in the best interests of the company must surely now include making sure that the company has as robust a defence to cyber-attack as possible and a plan ready to be actioned in the event that the company becomes the victim of an attack.