In its 2018 Cost of Insider Threats: Global Organizations report, the Ponemon Institute examines the frequency and costs of data breaches and security exploits caused by employees. The
report defines insider threats as: "a careless or negligent employee or contractor, a criminal or malicious insider, or a credential thief."
The numbers paint an ugly picture. For example, the average cost of an incident involving a credential thief is almost $650,000. Further, even with an average cost of around $280,000, the frequency of incidents due to negligent employees and contractors places this category at the top of the list of most expensive breaches for organizations. More alarming though, is that while these risks have been known for years, the frequency of all three types of insider threats continues to rise.
Internal audit departments that are not already engaged in this space need to catch up. Here are four basic areas to consider:
Least privilege refers to giving users only the access they need to perform their assigned duties. The principle of least privilege helps to mitigate two major risks. First, giving a user account less access limits the potential negative impact from any one account that is hacked. Second, it limits opportunities for errors because users can't access anything beyond their core job functions.
Do your organization's policies address least privilege? Are you examining user access as part of every audit? Is management able to override least privilege controls because executives occasionally get frustrated with not having access to everything at all times?
Password controls should be simple and straightforward. However, the average person resists investing even minimal brain power on his or her passwords. Once while meeting with a chief financial officer in his office, I noticed three notes stuck to the side of his monitor, each with the name of the system, his username, and his password. Consider the damage a malicious insider could inflict with his access.
Does your organization have a policy that sets sufficiently complex requirements for passwords? Do accounts get locked out after a few failed attempts? Are password changes required frequently enough? Do communications to all employees reinforce the importance of password control?
Social engineering relates to a combination of psychological, physiological, and technological techniques that prey upon human emotions to get victims to take some sort of action they otherwise would avoid. Most common are phishing emails where victims are tricked by an email convincing them to click on a link that will ultimately install malicious code (for more on social engineering, check out my earlier
blog post on the topic and
"Pulling Strings" in the August issue of
Internal Auditor). According to
Verizon's 2018 Data Breach Investigations Report, 22 percent of people will click on at least one phishing campaign each year. Of those, 4 percent will click on all such messages.
What type of training is being provided to your organization's employees regarding social engineering? Is your IT department sending out mock phishing campaigns to identify and ultimately retrain employees who click?
Patching, particularly security updates, are critical for mitigating known security weak spots. Unfortunately, many organizations lack a disciplined, timely approach for installing patches, which has resulted in numerous successful breaches and ransomware attacks.
What is your organization's policy on patching? How is monitored and controlled?
These four tips just start to scratch the surface of internal audit's role in addressing cyber risks. You may be asking why I'm only covering these basics. Two reasons: First, in The IIA's 2018 North American Pulse of Internal Audit, only 48 percent of chief audit executives (CAEs) indicated that cybersecurity and privacy skills were essential to their department's ability to perform its responsibilities. Further, only 60 percent agreed that their team collectively possesses the knowledge and skills to perform in this area. Second, when asked how CAEs react to gaps in competencies on the internal audit plan, 28 percent said they are at least somewhat likely to exclude those areas from the audit plan altogether.
Ignoring these risks — or even kicking the can a little farther down the road — is a recipe for disaster. We've all seen the tremendous financial and reputational damage associated with data breaches and ransomware attacks. Whether through hiring, training, cosourcing, or outsourcing, internal audit departments need to upgrade their skills quickly to address these risks. In the meantime, take the opportunity to address this low-hanging fruit.
For guidance on insider threats, read The IIA's Global Technology Audit Guide
Auditing Insider Threat Programs.
That's my point of view, I'd be happy to hear yours.