Don’t forget the insider threat to your data security
The latest threat report by the National Cybersecurity Centre (NCSC) has reminded us of the need to remember the insider threat to data security. Insiders (member of staff, contractors, NEDs, Trustees) can pose a threat either through accidental or malicious acts which can lead to data loss or theft. Obviously where that data relates to personal data then any such losses would put an organisation in breach of GDPR requirements. But equally at risk is confidential organisation data such as intellectual property, pricing, development plans, or contractual information. All such losses could therefore have significant impact on the organisation concerned. A good to start for any organisation keen on safeguaring their data would be to read the NCSC’s 10 Steps to Cybr Security. In addition to reminding of the need to undertake a proper risk assessment (which should be done for all risks), the key advice of particular relevance to managing insider threats are:
Managing user privileges
Unnecessary system privileges or data access rights should be removed from individuals role profiles as these can increase the risk that a rogue individual could misuse that access. This also would limit the damage from compromised accounts i.e. accounts that have been hijacked by another person. Elevated system privileges such as admin roles and super users should be granted by exception, carefully controlled and managed.
Monitoring
Monitor usage to ensure that systems are being used in accordance with organisational policies.
Removable media controls
The ability to copy data to removable media such as USB memory sticks, memory cards and even mobile phones can provide an easy route for someone to deliberately export sensitive data. Have a clear policy around use of removable media and consider disabling the ability to copy to such media.
Home and mobile working
Establish risk based policies and procedures to support mobile working or remote access to systems. Users should be trained on how to securely use mobile devices in non-secure environments, particularly when using public wi-fi in hotels and restaurants. Users should use their mobile hotspot facility or consider a virtual private network (VPN).
User education and awareness
Support technical solutions with awareness programmes and training and seek to establish a security-conscious culture.
A campaign run by the Financial Fraud Action (UK) Ltd (FFA) and its ‘Take 5’ campaign which was initially aimed at the banking and payments industry. The campaign is backed by City of London Police and CIFAS. Take Five is a national awareness campaign led by FFA UK (part of UK Finance), backed by Her Majesty’s Government and delivered with and through a range of partners in the UK payments industry, financial services firms, law enforcement agencies, telecommunication providers, commercial, public and third sector, urges you to stop and consider whether the situation is genuine – to stop and think if what you’re being told really makes sense. There are a number of resources available through its website and organisations can use these to help raise awareness and remind staff to pause and think before they click!
Our quick tip (first published 2 years ago but still relevant!) is to encourage staff to download one of the template email signatures and add it to their email signature. That way every time they send an email it will be a reminder to the recipient (and themselves) to always ‘take 5’.
A further campaign asks people to ‘Tell 2 over a brew’. This initiative encourages people to talk to each other about any fraud risks including cybercrime.
Our previous blog posts have also covered aspects of managing cyber risks;
- the first two regarding having an effective response plan in place; ‘Would Your IS Helpdesk Recognise a Cyber Attack?’ and ‘Tip 9 – Planning your response to fraud‘
- the third relating to the people element of the risk; ‘Cybercrime – it’s a human problem!‘ identifying that although this is a risk it can also be a key part of the solution!
These risks should be managed as part of a comprehensive Fraud Management Framework. Taking an holistic approach across the organisation and combining proactive and reactive work is the key to successful counter fraud work and is at the heart of our resource centre.
- If you would like to know more about our resource centre then please check out our video and information here.
- If you would like to find out more about our holistic approach to fraud risk management then please check out our video here.
- We have also developed an organisational self assessment toolkit which enables you to self assess against each element of the counter fraud framework as well as the Charity Commission 10 questions on fraud. This toolkit has been developed specifically to accompany the guidance and resources contained on this website. It can also be used as an audit tool to assess your organisation’s capability against defined standards taken from best practice across public, private and not-for-profit sectors.