All companies are at risk for insider threats, but those with weak security controls have the potential to experience a much greater loss. Research has shown that the annualized cost of insider-caused data breaches is $3.81 million, and the average cost of a single incident can be upwards of $8.5 million. As we've discussed previously, the construction industry has a unique risk profile that puts it at risk from things such as third party software security vulnerabilities, building information modeling program attacks, and a history of lax or even nonexistent cybersecurity procedures. Those have all combined to make construction companies the industry ranked third amongst those most targeted for cyber attacks.
What Is an Insider Threat?
First, let's lay out what exactly an insider threat is, and then, we'll provide you with some steps that you can take to substantially improve your cybersecurity posture and help prevent insider threats in your construction company. Many executives and senior management think only of the disgruntled employee as the potential insider threat, and as most upper management generally have a positive view of their employees and company culture, they understandably think that the risks of insider threats are low. Unfortunately, insiders can pose a threat from a much wider variety of sources than that narrow viewpoint; here are the three main types of insider threats.
Negligent Insider Threat
The threat posed by negligent insiders is the most common and also the most overlooked insider threat. This can run the gamut of a mistyped email address sending sensitive information or even intellectual property to an unintended recipient thereby making it publicly available for anyone to see all the way to improper handling of login credentials or falling victim to a social engineering scam. We can all see how those actions can lead to data breaches or be used by cybercriminals for financial gain, but they can't occur without action by an insider even if it's accidental.
Compromised Insider Threat
The compromised insider can also stem from a social engineering scam if it results in the loss of login credential details, but primarily, the nexus of a compromised insider threat is that a criminal has gained access to the use of an existing insider account that has access to your systems. This can be done through a variety of means, but the most common are lost or stolen devices without password protection or encryption and the social engineering instances we just mentioned.
Pharming is one of the more successful social engineering scams that focuses on compromising credentials with a cloned website designed to mimic the legitimate site. Another extremely common method is the breach of a third party vendor which then allows access to your systems with all of the permissions that you have granted to your vendors.
Malicious Insider Threat
Here it is. This is the category that most often comes to mind when you think of insider threats. While it is the least common, malicious insider threats are without a doubt the most devastating in terms of impact, both financial and otherwise. Whether the malicious insider is acting for financial gain or out of a desire to damage the company's standing, reputation, or ability to continue operating, the fact is that they know better than anyone else how to cause that damage or reap their intended rewards.
Bad actors can appear in even the most security conscious enterprise. That's why it's important to have systems in place for the detection and response to suspicious activity in addition to your suite of preventative measures. The best way to prevent insider threats in construction is to assume that they're an inevitability.
Insider Threat Prevention Best Practices
Build a Positive Culture
Strong connections between your personnel build a more resilient and connected workforce, and it also gives the added benefit of having many sets of eyes and ears alert to suspicious behaviors. For example, if an employee begins keeping strange hours at work, complaining about financial difficulties, and there is a notable decline in their work performance, that can indicate the potential for danger. Now, that doesn't mean that they're necessarily an insider threat, but that's also a great time to have management check in and offer support to them or remind them of an employee assistance program.
A tight-knit staff with a commitment to company goals is also less likely to tolerate aberrant behavior that poses a risk to the enterprise. While this will not prevent every instance of a malicious insider, a strong, positive culture not only decreases the likelihood of the development of a disgruntled employee it also increases your chance at a successful detection and response to a data breach.
Embrace Zero Trust Policies
We're going to touch on access control shortly, but zero-trust policies are critical to limiting a host of cybersecurity threats. By developing your defensive procedures with zero trust principles in mind, you stand a greater chance of creating an interconnected process that is more cohesive instead of bolting on add-on systems after the fact. The concept of "never trust, always verify" should be paramount in all of your systems not just those housing sensitive data.
Take Access Control Seriously
Access control is a broad topic, and there are several important areas that you want to make sure you are covering in order to prevent insider threats in the construction industry.
- Network segmentation: Independently secure different areas of your network. Do not allow one single login checkpoint to grant unfettered access to your entire network. Each of those segments should have their own firewall and security settings.
- Principles of least access: When creating permissions for all staff members, they should be limited in their access to only the data that they need to accomplish their individual tasks. This includes senior management and executives, no one should have blanket access to all sensitive information.
- Role-based access: Your IT staff should establish a number of set roles. Those roles should have preset levels of access as determined by the principles of least access. This will help speed up the onboarding process as well as any promotions, demotions, and lateral moves within your organization, and it help eliminate mistakes in that same process.
- Password management: Ensure strong password policies are in place at each login. Change passwords on a rotating basis, and provide or encourage the use of a password manager or password vault.
- Multifactor authentication: This is a must especially when combatting the risks of a compromised insider. Multifactor authentication allows you to ensure that the credentials you are letting gain access to your networks are in use by those they are issued to.
Inspect and Record Network Traffic
By keeping tabs on the network traffic and activity of your employees, you can use cutting edge programs to act as a force multiplier for your security personnel. This is a cornerstone of your detection and response program. Typically, suspicious network activity is the very first sign of a cyber attack, and your goal should be to identify that as soon as possible.
Monitor Outbound Data
Even if internal activity is not suspicious or doesn't raise any red flags, malicious insider threats frequently involve the exfiltration of sensitive data or intellectual property either over the internet or to portable storage devices. As the majority of insider threat data breaches involve the outbound movement of data, that is a critical point to watch and analyze against your standard operating procedures to identify abnormal data movement.
Leverage Artificial Intelligence Tools
Some of the more advanced IT monitoring systems offer artificial intelligence (AI) and machine learning capable programs that provide some of the best protection on the market. The AI uses its machine learning features to learn the patterns of your network traffic. When activity then occurs outside those norms, they can be set to send push notifications to essential personnel or even take other actions in compliance with your incident response plan.
Create and Maintain an Incident Response Plan
Speaking of incident response plans, no cybersecurity program should be without one. Once you create and implement the plan and train your employees on it, the most critical mistake that many organizations make is that they fail to keep it up to date. Without current contact information for staff, vendors, and programs, an incident response plan is next to useless. On an ongoing basis, you must update all contact and vendor information, and at least annually, it should be scheduled for an overall review as part of your regular risk assessment process.
Enforce Security Standards on Your Vendors
Some of the most significant corporate data breaches have been the result of a compromised vendor with too much access to an enterprise's systems. While you can control their access to your network, some critical vendors need access to a substantial amount of sensitive information to complete the services that you contract with them for. While it can be difficult to verify at times, you should make a significant effort as a part of your vendor risk management and your contracting processes to ensure that cybersecurity standards are a component of both. On and off-site audits, risk assessments, and continuous monitoring should all be leveraged to ensure that your protections aren't thwarted by a vendor's lax cybersecurity.
At Venture Lynk Risk Management, we are risk management specialists. From comprehensive vendor management to operational risk or even information security, we provide packaged and customized enterprise risk management services for a wide variety of high-risk industries. Our specialists can take your program to the next level and help to prevent insider threats in construction and other industries. See what we can do for your unique circumstances today.