6 Ways GCs Can Assess Insider Threat Risk

By Amy Mushahwar
Law360 is providing free access to its coronavirus coverage to make sure all members of the legal community have accurate information in this time of uncertainty and change. Use the form below to sign up for any of our weekly newsletters. Signing up for any of our section newsletters will opt you in to the weekly Coronavirus briefing.

Sign up for our Compliance newsletter

You must correct or enter the following before you can sign up:

Select more newsletters to receive for free [+] Show less [-]

Thank You!



Law360 (July 23, 2020, 4:15 PM EDT) --
Amy Mushahwar
Amy Mushahwar
It is an understatement to say that COVID-19 has changed our day-to-day work in the past quarter and will continue to do so for the foreseeable future. With increased general stress and economic uncertainty combined with more remote work, most companies were overwhelmed with maintaining day-to-day operations running and managing company cash flow.

As the COVID-19 crisis stretches from weeks to months and now possibly a year or more, how can general counsel evaluate if their enterprise employee monitoring will be effective during an extended pandemic?

We have provided some questions for general counsel to spark a conversation with their team members in information technology, security and compliance.

1. What is an insider threat? Specifically, what insider threats keep you up at night? Have your concerns changed after COVID-19?

An insider threat is a potential for an employee, contractor or another authorized company worker to exceed their scope of data authorization. The threat risk could result in data transfers of valuable customer information outside the company, sales of intellectual property or even data leakage to the press.

Your team members should be able to particularize what they are worried about for your company, and if not, they need to. They should also be able to point to security exceptions or other emergency items made for COVID-19 that should be evaluated and may change the company risk profile for an insider (or any other) threat.

Now that months have passed since the transition to work from home, ask for the company risk register or appropriate ticketing to ensure team members documented emergency actions and appropriately evaluated security risk.

2. Do we have an insider threat program? Is it implemented sufficiently?

For many companies, the answer is no. Understandably, the topic of insider threats may seem like an unlikely situation. Talent is the heart of most businesses, which makes the topic of insider threats often a difficult one to discuss.

Some companies lack an insider threat program — or have failed to implement company policy — because they believe there is a potential risk to employee morale. If this is your company, creating or implementing an insider threat program doesn't have to signal a loss of employee or contractor trust.

Insider threats are not limited to bad actors — any policy must contemplate malicious insiders, but not be limited to them. Especially now, when fear, anxiety and social isolation have plagued many of us, acute stress is beginning to stretch into an extended period.

There is a ripe environment for mistakes, poor judgment and miscommunication for any employee or contractor. Managing workplace stress, prioritizing mental health and educating on common workplace mistakes should be the heart of any insider threat program. All three of these items help positively support your team.

When discussing inside threats internally, human resources can soften the approach by reminding employees that an insider threat does not necessarily mean the next Edward Snowden[1] or Paige Thompson — the former Amazon Web Services engineer arrested for exploiting the vulnerability leading to the 2019 Capital One Financial Corp. data breach.[2] It could also be the business team member that mistakenly sends an unencrypted spreadsheet of personally identifiable information.

3. What data loss prevention processes do we have in place?

Data loss prevention processes attempt to limit unauthorized transfer, storage and usage of confidential company information. Companies invest in these types of programs with related technical solutions in an attempt to catch unauthorized data practices before they occur.

However, the supporting technology for data loss prevention is imperfect, based on keywords, algorithms or representative documents. That's why data loss prevention inspection requires an initial strategy on where to place the technology within the network and demands ongoing maintenance to support the program's tools.

All too often, companies fail to recognize both items. As a general counsel, how do you know if your team has implemented an effective program? Consider asking your team the following triage questions.

Where is data loss prevention deployed within the network?

Is it at multiple places like on the firewall, in email and on endpoints that may enhance its effectiveness? Are there any network or system blind spots that the program cannot see?

Do the data loss prevention solutions contemplate encrypted traffic?

The solutions cannot detect unauthorized data transfer or use if the underlying data is encrypted. Many solutions now offer the ability to do man-in-the-middle decryption of encrypted traffic to permit inspection.

May I see the summary dashboarding for data loss prevention tools?

Tools for these programs have management consoles; the legal team can shoulder surf technology staff and view the number of alerts popping up. Legal may inquire if alerts are resolved promptly and ask for related documentation.

Are we reviewing our data loss prevention permitted whitelists?

The tools can generate a significant number of false positives requiring research. However, those exceptions should be reviewed regularly.

Have our data loss prevention tools incorporating artificial intelligence and machine learning technologies been tuned?

If not, it could result in a lax whitelist — and more data leaving your environment than desired. It could also result in overly restrictive settings, potentially impeding needed business communications.

Check the checker. Periodically test and see if it is possible to exfiltrate data without triggering the data loss prevention tool. On the restrictive side, employees will let you know and staff appropriately to investigate employee work impediment concerns.

4. What protections are on our codebase and other critical company intellectual property?

Ask if your colleagues know what critical pieces of intellectual property and code are the company's lifeblood. With this understanding, ask where this information lies.

Often, developers may have full copies of code on company or personal workstations. They might even misuse code-vaulting products. There are many ways that company vaulting software is misused, but a few key questions are the following:

  • Are your employees aware of what items and code are critical intellectual property of the company?

  • Are there ways for development staff to copy company code without logging in? Sometimes this can occur when developers use a command prompt interface and not the vaulting graphical user interface.

  • If your company vaulting software has both public and private components, is anyone monitoring the public presence or the usernames of your developers?

5. What are our operational chokepoints that harm the company, if impaired?

Consider that data misuse is not the only concern for a company. A company insider is far more aware of the operational processes and systems that keep business running.

Insiders may know the systems and processes that can be shut down and cause the company considerable harm. Ask your colleagues if they are aware of what company systems and operational trigger points must be monitored more aggressively with staffing prioritization to ensure that alerts are addressed.

6. Have we considered physical threats to our environment?

Even with some staff working from home, physical security is still a concern. Physical security may be reviewed by security, IT, facilities or compliance. Sometimes, joint responsibility can lead to a lack of responsible ownership.

Identify who is responsible for noticing bulging bags, unauthorized memory sticks, missing hard drives, unauthorized visitors, video use and true physical safety concerns like an active shooter or other altercation. It can be helpful to develop a responsibility assignment matrix for each department's responsibilities to recognize responsibility gaps.

COVID-19 creates a unique opportunity for organizations to reexamine insider threats and address them for the new normal of remote work and beyond once work resumes to normal operations. We hope these questions help strike up the right internal conversations to evaluate your program.



Amy S. Mushahwar is a partner at Alston & Bird LLP.

The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.

[1] See https://www.bloomberg.com/news/articles/2014-01-09/pentagon-finds-snowden-took-1-7-million-files-rogers-says.

[2] See https://www.computerweekly.com/news/252467556/Former-AWS-engineer-arrested-for-Capital-One-data-breach.

For a reprint of this article, please contact reprints@law360.com.

Hello! I'm Law360's automated support bot.

How can I help you today?

For example, you can type:
  • I forgot my password
  • I took a free trial but didn't get a verification email
  • How do I sign up for a newsletter?
Ask a question!