News report of stolen or missing laptops containing highly sensitive information (see Secret Service Laptop containing Trump Tower evacuation and floor plans stolen and 5 laptops stolen from Alberta Health Services office in Edmonton) and unsecured online access to customer databases (see Saks Fifth Avenue Exposed Personal Info On Tens Of Thousands Of Customers) are important reminders that effective cyber risk management requires an insider risk management program.
People are a major security risk. Studies consistently indicate that a majority of cybersecurity incidents originate from, or are facilitated by, a current or former insider (e.g. an executive/manager, employee or contract worker with authorized access to IT systems) of the organization or its business partners.
Effective insider risk management requires a risk-based, multi-functional approach by an organization’s various departments and disciplines (including appropriate independent advisors and subject matter experts) to deter, prevent, detect and respond to cybersecurity incidents caused by insiders. Insider risk management requires an organization to: (1) carefully select, educate, train and disengage insiders; (2) establish and implement administrative, technological and physical security policies and practices to protect the IT systems (including portable devices and user-owned devices) and data of the organization and its relevant business partners; and (3) monitor and verify compliance.
The Common Sense Guide to Mitigating Insider Threats, published by The CERT Insider Threat Center, provides helpful guidance for insider risk management.
Legal advice is essential to address the legal challenges (including ensuring that risk management practices are legally effective and comply with applicable law) presented by insider risk management.