Carnegie Mellon University
Software Engineering Institute
Insider Threats in
the Time of COVID-19
For most organizations, business is anything but usual during the COVID-19
pandemic. Quarantining and closures have upended normal operations for nearly
every organization and driven some out of business. Many workers still on the
job have swapped their offices for living rooms. According to
Randy Trzeciak, acting deputy director of risk
and resilience in the SEI's CERT Division and director of the CERT National
Insider Threat Center, this unprecedented operational climate has increased risk
factors for insider incidents, but there are steps organizations can take to
safeguard their critical assets.
Social distancing and other requirements to stem the spread of coronavirus have
forced many organizations to transition from on-premises to remote operation. In
a matter of days, organizations had to scramble to provision enough managed
laptops, VPN licenses, and other IT infrastructure to support a distributed
workforce. Trzeciak advises that technical security measures, such as perimeter
defense and monitoring for the connection of personal devices to enterprise
assets, are more important now than ever. "Sound IT principles are the
foundation of all security," says Trzeciak, "and that would go a long way toward
preventing insiders from causing harm as well."
Trzeciak says organizations should be extra vigilant against
unintentional insider incidents. "Most
organizations never experience a large-scale, malicious insider incident," says
Trzeciak. "But many of them regularly experience some accidental or
non-malicious incidents, most of which may be documented as a security incident
or a policy violation. It’s up to the organization to prevent harm from the
policy violations and the more significant insider incidents as well."
According to
CERT research, distraction is the key
ingredient in unintentional insider incidents. Distracted workers are more
likely to make mistakes that can endanger an organization, such as failing to
use their company's VPN or clicking on phishing links in email. For many office
workers forced to work from home by social distancing requirements, distractions
abound: children, shared working spaces, and all the routine needs of
quarantining families.
"Remote work and personal challenges can be stressors," says Trzeciak. "Job
uncertainty could definitely increase an individual's stress, which may lead to
more accidental insider incidents, though it's very unlikely to significantly
increase the number of malicious insider incidents."
The most likely tipping point for a predisposed employee to decide to do harm is
a negative employment action: denial of a promotion, failure to receive a pay
increase or bonus, a pay cut, censure, or termination.
Unemployment is at a historic high in the
United States, as companies tighten their belts, furlough or lay off workers, or
close completely in the face of dwindling business. Even people who remain
employed may have to cut back their hours to care for elderly relatives or newly
home-bound children. “Those individuals who have a significant financial stress
or need may decide to commit fraud against the organization,” says Trzeciak.
NITC research indicates that
fraud for financial gain is the most common
type of insider incident, though it could also take the form of intellectual
property (IP) theft, IT sabotage, and espionage. Trzeciak emphasizes that those
with certain behavioral predispositions are more likely than others to act with
intent to harm their employer.
Trzeciak reminds organizations to work with their general counsel and human
resources departments to develop insider risk policies, but that there are
things organizations can do to mitigate the risk of an insider incident during
the COVID-19 pandemic.
•
Where permissible, look for stress factors in
employees’ lives, such as bankruptcy.
•
Where possible, look for behavioral risk
indicators, which usually precede the technical risk indicators.
•
Use perimeter protection, such as filtering for
malicious email.
•
Train users to recognize phishing.
•
Implement defense in depth, for example, to block
software installation without the IT department’s permission or block
executables if employees do click on a phishing link.
•
Monitor for data leaving the enterprise.
•
Incentivize positive behaviors by enabling
employees to own their careers, such as with training opportunities and
professional development.
•
Connect coworkers to each other.
The CERT Division of the SEI has many resources with more information on
insider threat:
•
Common Sense Guide to Mitigating Insider Threats, Sixth
Edition, especially practices 5, 8, 9, 12, 13, 19, and 21.
•
Unintentional Insider Threats: A Foundational Study
•
The Critical Role of Positive Incentives for Reducing
Insider Threats
•
Navigating the Insider Threat Tool Landscape: Low-Cost
Technical Solutions to Jump-Start an Insider Threat Program
•
Analytic Approaches to Detect Insider Threats
•
The
Insider Threat Blog, especially "Maturing
Your Insider Threat Program into an Insider Risk Management Program,"
"Anti-Phishing
Training: Is It Working? Is It Worth It?," and "4
Technical Methods for Improving Phishing Defense"
See the collection at
https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=638967.
sei.cmu.edu