The bad news is that most data breaches are caused by employees and other insiders (e.g., vendors), whether intentionally or inadvertently. For example, IBM Security found that insiders were responsible for 68 percent of all network attacks targeting health care data in 2016. Hackers regularly use email and social media to conduct social engineering attacks targeting unknowing employees. Not surprisingly, the highly publicized cyber threats are increasingly concerning corporate counsel. Recently, 74 percent of corporate counsel named data breaches as their top data-related legal risk. Another survey reports that 31 percent of general counsels identify cyber security as their top concern.

The good news is that many insider data breaches are preventable through a formalized, well-documented, and consistently applied insider threat program compliant with applicable law, including the screening, monitoring, and regular training of employees. Indeed, a comprehensive insider threat program is now a requirement for federal contractors pursuant to Executive Order 13587, which was issued in 2011 in response to the massive data leaks by Chelsea Manning. All employers should proactively address insider threats because a failure to institute best practices to prevent insider data breaches may result in significant financial loss, negative publicity, and expensive legal action should a breach occur.

Because insider threats can be divided into malicious and unintentional threat actors, the employer’s program must address both:

• A malicious insider is a current or former employee or a business partner who has or had authorized access to the organization’s network and intentionally exceeds or misuses that access in a manner that negatively affects the confidentiality, integrity, or availability of its information or information systems.
• An unintentional insider is someone who, through his or her action/inaction without malicious intent, causes harm or substantially increases the probability of future harm to the confidentiality, integrity, or availability of the information or information systems.

The employer’s first step is to conduct a vulnerability assessment to evaluate risks according to job position and to the most sensitive data. For example, employers routinely maintain sensitive PII on its workers (e.g., benefits information, medical leave requests, health insurance and tax information, Social Security numbers, and addresses). An employer should identify where PII, trade secrets, and other confidential business information are maintained on its systems, and the employees who have access to this critical data. Job positions that permit access to critical data or systems, or grant administrative or super user privileges, should be identified.

Once the vulnerability assessment is conducted, the employer’s program may be tailored to prevent, detect, and mitigate the identified risks by these employees and to the key data. The program should include personnel policies, such as pre-hire and periodic background checks and credit monitoring, employee training, access control and electronic monitoring of employee system use, strong passwords, acceptable use policies, and employer controls on the Internet of Things (“IoT”) in the workplace and Bring Your Own Devices To Work (“BYOD”). The risks of BYOD and the IoT (and resulting risks from wireless connectivity) should be addressed, including regulating the types of devices that can be worn or used in the workplace. The use of encryption for confidential data in transit and at rest, and training employees in the proper use of encryption technologies, is a critical component. 

Risks from disgruntled employees, or employees with a financial motive to participate in a data breach, should be documented and monitored using baselines and other objective measures. A deviation from normal baseline system activity or a high-risk event (e.g., demotion) should result in an objective trigger for increased scrutiny. For example, federal contractors are required to institute personnel-related measures to screen for 13 areas of risk, including personal conduct that involves “questionable judgment, untrustworthiness, unreliability, lack of candor, dishonesty or unwillingness to comply with rules and regulations”; financial considerations, including a history of not meeting financial obligations, overextending financially, or financial problems that are linked to gambling or drug abuse; illegal drug use; criminal conduct; security violations; outside activities that pose a conflict with an individual’s security responsibilities; and the misuse of technology systems.

Ongoing training is very important both in preventing breach and in defending against legal claims if a breach occurs. Training should occur regularly and address recent social engineering attacks (e.g., ransomware) so that employees know what to look out for. The importance of training is highlighted because one click by an employee on a link containing malware may quickly disseminate across the employer’s entire system. Preventing an event from occurring is critical, particularly because an intrusion may go undetected for months or even years.

Lastly, the program must anticipate the likelihood that a breach will occur and outline a response plan. Forensic artifacts can always be used to determine who, what, when, where, and why something occurred after a breach. The employer’s policies in place (e.g., consensual monitoring) should enable and facilitate any future forensic investigation and a quick response time.

In sum, cyber security is a shared organizational responsibility best addressed through an insider threat program.