Despite the ever-growing number of reports concerning the hacking of American corporate interests and the insider threat posed by malicious or unwitting insiders, many organizations still don’t believe it’s necessary to make the investment to protect their company. Businesses of all types and sizes argue that a regularly updated firewall and comprehensive virus scanning program are sufficient, or that a company’s size and assets don’t warrant the investment into sophisticated analytic programs on the premise that the firm isn’t wealthy or prosperous enough to pique hackers’ interest. But this thinking doesn’t reflect the reality of the modern insider threat, or the nature—and necessity—of an Insider Threat Program (ITP).
Today’s malicious insider and hacking risk extends beyond intellectual property theft and fraud. The failure to defend yourself has effects beyond your company—consequences that extend to every one of your contacts. What if your company is used to access and attack a partner firm? Would your partners, clients and customers appreciate knowing that their information wasn’t protected to the highest security standard? What if one of your employees, or perhaps a contractor from another firm, is or becomes a malicious insider, determined to rob or sabotage the company? What would investors think? What if any one of your employees or a company official falls victim to a social engineering scheme or phishing/spear-phishing ploy? What might that do to your company’s reputation or staff morale? What would happen if your company’s data were held hostage in a ransomware crime? How would you react? How much would it cost you?
No company today can survive isolated from the outside world. Even organizations with state-of-the-art security programs are victimized by malicious insiders, or made vulnerable by naïve or careless employees. It is no wonder that every federal agency is required to have an ITP. Being prepared to counter an inside threat is now a matter of basic due diligence and risk mitigation.
According to a 2016 Zogby Associates survey, more than half of U.S. businesses reported being hacked during the previous year. According to the survey, “Of those businesses hacked in the previous 12 months, 72 percent spent over $5,000 to investigate each cyberattack, restore or replace software and hardware, and deal with other consequences.” Over half of victimized companies spent between $50,000 and in excess of $250,000 to repair damage to their companies. According to Verizon’s 2017 Data Breach Investigations Report (DBIR), insiders were responsible for a quarter of all breaches. Just this last September, a former U.S. Army contractor was convicted of planting a “logic bomb” in the nation-wide system that administered reservist’s payrolls. The contractor’s attempt at sabotage—the malicious software was designed to destroy record data—was prompted by his company’s loss of its contract with the Army. The cost to taxpayers to repair the system was $2.6 million.
Every element of American society, including the government, the economy, private business and individuals, must consider the possibility of an inside threat, i.e., the risk that someone close or associated with you will become a victimizer, or will himself become a victim, allowing another malicious actor to gain access to you and your data.
Your company prepares for all manner of liabilities. This is another. You owe it to yourself, as well as your partners, to be as prepared as possible for internal hazards.