When the world shifted to a distributed workforce more than two years ago, businesses were forced to quickly implement technology to replicate in-person communication and minimize productivity loss, often prioritizing it above security. As businesses consider what the workplace will look like moving forward, the growing risk of insider threats necessitate a robust security and compliance plan.
According to IBM, the cumulative cost of insider threats is nearly $11.5 million, with the majority of incidences stemming from negligence. Insider threats are now widely regarded as a common risk to business security, especially with a growing distributed workforce reliant on modern communication tools. While technology has become more sophisticated to accommodate work-from-anywhere environments, these new ways of sharing information have complicated legacy security and compliance procedures. In the absence of proper training and the implementation of security solutions, employees run the risk of becoming an insider threat.
Here are three ways to protect organizations from insider threats in today’s evolving workplace landscape.
1. Defining the threat vectors
The first step to tackle an insider threat is identifying possible sources. Some of the most obvious sources of insider threats are external attacks by malicious users or softer threats where employees are persuaded to overshare data or passively expose their systems. But as businesses continue to operate in a distributed workforce model, a new category is emerging where employees that are frequently using collaboration tools may be unwittingly sharing information with internal teams or external clients that fall outside of security and compliance standards set by their employer or broad regulatory bodies.
For example, when surveyed for Theta Lake’s Modern Communications Survey Report, 93% of respondents have files and/or links shared with them via chat at least a few times a week. More than half receive files and/or links a few times a day. Given the risks of receiving potentially malicious links in chat, it’s an area of huge risk for companies that do not have effective monitoring and reviews in place.
In the absence of traditional in-person meetings, people are connecting via collaboration tools where they may not be as mindful of security protocols due to the nature of these platforms. For example, a salesperson may be on an external call and mistakenly share the wrong screen with sensitive client information, or send a message with confidential data to the wrong person. Additionally, if a virtual meeting room does not have a password or waiting room, anonymous users might be able to sit in and monitor the call. Of course, intentional circumvention of organizational security rules about data sharing is a significant risk. When asked in the report, organizations indicated that employees circumventing email to share confidential information is the highest concern for most enterprises, with 63% of respondents indicating as such.
2. Understanding the risks of unified communications
While traditional monitoring tools are able to scan email and other written communication, video platforms do not have a built-in mechanism to monitor what is happening or what is being said, so virtual meetings present inherent risks. Programs that capture the text of the recording, such as a transcription service, are unreliable, and even still only cover a portion of what can be communicated during a meeting. Instant screen sharing capabilities or content uploads into the platform can expose desktops or documents containing risky or private content such as personal identifiable information (PII).
Furthermore, despite many companies disabling recording capabilities, attendees can still use non-native tools to capture the content. Thus, conversations thought to be proprietary can endure via recordings using standalone tools out of camera view or built-in app functionality. This lack of visibility into how video meeting content is used means that meetings can be shared to an unlimited audience beyond those who attended the live portion, leading to potential data leakage.
3. Identifying what’s at stake
Insider threats are more dangerous when businesses are not closely monitoring the various forms of communication taking place over collaboration tools, leaving more opportunities for employees to unintentionally share information via these channels. This can result in a number of consequences, such as:
- Reputational loss from undesirable policy-breaking behaviors where an employee may say something inappropriate (racism, sexism, hate speech) in a meeting chat that then makes its way to the public realm.
- User information leaks can expose sensitive information and lead to the termination of a user’s relationship with a business.
- Loss of intellectual property from a breached boundary on a Zoom call or other platforms that may be unprotected, with valuable information or projects that can impact a company’s bottom line.
In order to ensure protection against insider threats, it’s essential to incorporate security awareness and proper policy monitoring into organizations’ technology and security strategies.
To better rectify these security issues, businesses must consider how best to implement data loss prevention, surveillance and security controls in the virtual, distributed workplace. This is not in conflict with enabling digital collaboration strategies, but rather to make these tools more trustworthy so organizations can reap the full benefits. With proper monitoring of changes in security and compliance protocols, as well as ensuring systems are updated to be compliant, businesses can remain productive and secure with distributed workforces. In fact, some collaboration tools already provide integrated features to leverage, such as Zoom’s built-in API that allows businesses to review hundreds of settings, determine which ones are riskiest and direct people to make updates.
Moving forward, as businesses assess their security and compliance solutions, they should consider how future investments in these areas should be complementary to their existing structure and not siloed as they often are today. Organizational structures will continue to transform and become more distributed, creating persistent concerns, but ongoing vigilance with evolving security and compliance frameworks is the first line of defense in protecting an organization.