How to deal with insider threats in a hybrid work environment?
When I saw a friend of mine crunching sensitive financial data from home, it took me back to the times when we were not even allowed to carry camera phones into ODC (Offshore Development Centers)! Organizations that were averse to work from home culture, were forced to go 100% remote during the pandemic.
It has been a while since peak pandemic times and employees have started returning to the office. The hybrid work culture seems to be the new normal. As per Microsoft research, hybrid work is inevitable; 66% of the leaders say that their organizations are redesigning office space for hybrid work, 73% of employees want the flexible remote working model to continue, and 67% want the in-person working model as per the Microsoft research.
Just because hybrid work culture is picking up, does it mean that the insider threat has disappeared? As per the IBM 2019 survey, 31.5% of the cybersecurity occurrences were from malicious insiders, and 23.5% were from non-malicious insiders.
A professional hacker might have all the tools and technical knowledge to harm your IT systems externally. However, a bad intentioned insider i.e. someone who has got access to your IT systems is even more harmful.
Insider threat is quite a serious security risk to be mitigated with well-crafted security controls. Examples of insider threats could be a disgruntled employee, contractor or ex-employee who still has access to IT systems due to loopholes. These people may cause serious damage such as leaking sensitive information to a competitor, making use of confidential information for illegal purposes and many more ways to cause damage to the organization. Even inadvertent acts by well-intentioned employees could cause serious financial and reputational damages to the organization. Thus, the organizations need to take the insider threat very seriously.
In a hybrid work model, employees and contractors will work from both office and remote locations. Office set-up is a controlled environment with required monitoring enabled. Security policies are enforced rigorously and in fact, employees tend to follow the policies implicitly too. However, human behaviour is impacted by our surroundings and our physical location. As per a social psychology article, people will change their behaviour to align with the social situation at hand. For example, an employee behaviour in office could be quite different to that of non office set up.
Zero Trust: Don’t trust anyone irrespective of whether the user is behind the office firewall or somewhere else. While Zero Trust is not a new concept, this has gained a lot of popularity post-COVID-19 pandemic. The remote work model during COVID as well as the hybrid work model post the pandemic have positively influenced the rise of Zero Trust. In the Cloud Security Alliance’s (CSA) recent research study, Cloud Security and Technology Maturity Survey, 73% of organizations are planning and designing a zero-trust strategy. The strategy maturity varies across domains: network, data, identity, policy, applications, and user behaviour. While the network is the most mature domain, user behaviour is catching up quickly, especially due to the hybrid work model. Please refer to my article on Zero Trust to know more about this.
Centralized Identity & Access Management (IAM): It is important to get a grip on privileged and non-privileged access across the enterprise. It needs to cover all critical IT applications and infrastructure platforms. As per the IBM research, 48% of organizations considered lack of visibility into their infrastructure as the top gap in security, and 35% felt that they could not detect misuse by company insiders. Centralized IAM provides visibility into who has access to what across the enterprise. It becomes even more prominent in the hybrid working model. Please refer to my article on how to implement IAM for large enterprises for detailed information on this.
Smart monitoring: Although a remote work environment can’t be compared to an office setup, organizations need to come up with intelligent ways of monitoring their employees. This is not about trust but about creating a secure yet flexible working environment. More importantly, the organizations need to be transparent about the level of monitoring they perform as opined in the Harvard Business Review (HBR) article. With the advent of artificial intelligence, machine learning and the cloud, there are limitless possibilities for designing intelligent solutions. Another aspect is that the monitoring should neither be interfering with the privacy of the employee nor with the day-to-day job.
Cybersecurity is an enabling function. Security controls such as employee monitoring might seem that organizations don’t trust their people. Frisking in the airport makes air travel secure; if we take this as an embarrassment, we might lose our lives to deadly acts of hijackers. The organizations need to communicate with employees as to why they need to monitor and be transparent about it. As the threat landscape changes, security controls need to evolve and provide the right level of protection and confidence to organizations and employees. While physical ODCs might have hibernated for a while partially; before anything bad happens, organizations need to smartly adapt to new ways of hybrid working without compromising security.