Chat with Experta

How to protect against insider threats?
To protect from insider threats, a company should perform risk assessment and treatment to find out what exactly the risks are, and to determine the best controls to mitigate those risks.

Here are a few examples of the most common ISO 27001 Annex A controls used to mitigate the risk of insider threats:
- A.5.15 Access control — Access to sensitive data can be approved on a need-to-know bases only. This way you decrease the number of people that can do harm but also decrease the damage if someone’s identity is stolen.
- A.8.2 Privileged access rights — The access privileges must be regularly reviewed – very often quite a few employees have access to information they don’t really need.
- A.5.18 Access rights — The accounts and access rights of former employees must be removed – sometimes there are open accounts a few years after an employee has left the company.
- A.8.5 Secure authentication — Strong password policy or some other authentication method should be enforced to disable identity theft.
- A.5.3 Segregation of duties — You probably wouldn’t allow a single person to authorize large payments – the same goes for any other sensitive system.
- A.8.13 Information backup — Of course, backup should be regulary performed; but also access to backup information cannot be allowed to employees who can harm your production systems the most.
- A.5.1 Policies for information security, A.5.2 Information security roles and responsibilities, and A.5.37 Documented operating procedures — You cannot expect your employees to observe the security rules if they don’t know what the rules are.
- A.6.3 Information security awareness, education and training — All of your employees need to know why it is necessary to protect sensitive data, as well as how to do it; for certain jobs (like monitoring logs) you may need to send your employees to special trainings.

Of course, there are other controls that are more technically oriented, like A.8.22 Segregation of networks, A.8.8 Management of technical vulnerabilities, A.8.7 Protection against malware, A.8.20 Networks security, etc.

A worker prepared a marketing email, listing numerous recipients in the To: address field. If the message had been sent, that would have disclosed all the recipients' email addresses to each recipient - potentially an embarrassing privacy violation. Luckily, a manager who routinely reviews such messages before authorizing them to be sent spotted the mistake and transferred the recipients' addresses to the Bcc: field.