From left: David J. Oberly and Jeffrey N. Rosenthal of Blank Rome. From left: David J. Oberly and Jeffrey N. Rosenthal of Blank Rome.

Insider threats—i.e., security risks originating from within an organization—have been on the rise. The average cost of an insider attack has grown by 31% to $11.45 million per incident in the last two years alone. And the current pandemic—and resulting transition to long-term remote work arrangements—has significantly enhanced these already-sizable risks in several ways.

Increased Threats Posed by COVID-19 and Remote Working

Remote working increases the risk of insider threats arising from employee negligence. Given the state of the world, employees may be prone to distraction and mixing personal online endeavors with their work-related activities. This, in turn, raises the likelihood cyber criminals' targeted phishing campaigns and other attacks will prove successful. Employees may often fail to utilize safe computing practices while working outside the office, leaving remote devices susceptible to cyber attacks. Working from home also brings significant technical vulnerabilities—like insecure network connections—further increasing opportunities for cyber criminals to carry out attacks.

At the same time, remote working also enhances the risk of insider threats arising from intentional, malicious actors. The effectiveness of traditional organizational security controls to monitor and flag inappropriate online employee activity may be significantly diminished in remote work environments. This can result in reduced visibility over what employees are doing and the information they access. In addition, many companies that were ill-prepared to make an immediate transition to full-scale remote working have been forced to provide increased privileges and access to maintain productivity levels while employees work from home, greatly boosting the opportunities available for malicious insiders to exploit organizational networks and sensitive data.

Significantly, these heightened insider threat risks will continue apace even after COVID-19 is in our rear-view mirror, especially as many companies implement remote working on a permanent basis. As such, now more than ever companies must take actionable steps to combat the sizable security risks posed by the combination of insider threats and remote working. Fortunately, there are several key best practices that companies can implement as part of a comprehensive, risk-based security strategy to significantly reduce the threat of remote worker insider attacks.

Teleworking Policy

As a starting point, companies should implement a strong, comprehensive teleworking policy that directly addresses the security of company networks and data. Creating a robust teleworking policy is a simple yet effective way to combat insider threats, particularly those arising out of carelessness or negligence. In particular, there are several key components that should be included in such policies.

First, teleworking policies should address the issue of remote access. Remote access guidelines should define scope of permissible bring-your-own device (BYOD) practices—involving the use of employee-owned devices to connect to company networks—while working from home, as well as any technical requirements for connecting remotely to organizational networks, such as mandating virtual private networks (VPN) and multi-factor authentication (MFA) password protocols.

Teleworking policies should also address "acceptable use," which serves a critical role in promoting employees' responsible use of company assets and data by educating them on the types of behaviors permitted when using company technology. Acceptable use guidelines should define what employees can and cannot do with company-owned devices and specify the scope of such activities.

Similarly, mobile security guidelines—which specify the company's security requirements when data is accessed or transmitted via mobile device (both company- and employee-owned)—should also be included in all teleworking policies. In particular, these guidelines should address several key points, including: keeping software updated; always locking devices when they are not in use; reporting lost or stolen devices immediately; and never connecting to public Wi-Fi networks.

Employee Education and Training

 Employing a workforce that is savvy about lurking cyber risks and threats is another critical way to minimize the risk of insider threats. As such, a second key ingredient to an insider threat risk mitigation program is employee security awareness education and training.

Employees must be thoroughly educated and trained on how to safely and securely use, transfer, and store organizational data in the course of their day-to-day activities while working from home. Employees should also be educated and trained on today's most prominent cyber-attack methods—such as phishing, malware, and social engineering—and best practices to implement to avoid falling victim to a targeted cyber scam.

Combined, education and training in these areas can help arm a company's workforce with the tools they need to effectively avoid any mishaps while working outside the office that could result in accidental or unintentional data breaches or other security events.

Employee Monitoring

Employee monitoring is a third key component of an effective insider threat risk mitigation program.

Employers should monitor workers' use of electronic data, with an eye toward unusual activity—especially if data is being pulled off the company's network. Data monitoring can not only detect data leaks when they happen, but can discourage employees from taking unnecessary risks when accessing or handling company data.

At the same time, employers should also monitor for "digital" threat indicators, which are represented by different forms of online activity that deviate from employees' normal day-to-day activities. Common examples include downloading large amounts of data to external sources, emailing sensitive data to personal accounts, and accessing sensitive data that is not relevant to an employee's job duties or responsibilities.

User Access Restrictions and Control

Finally, companies should also include user access restrictions and control as an integral component of their insider threat risk mitigation programs.

Employers should implement the principle of "least privilege" to restrict and limit exposure by granting employees only the minimal level of access or privilege that is necessary for them to carry out their job duties and responsibilities. Similarly, companies should regularly review workers' data access rights and terminate any access to data or accounts that are no longer in use or no longer needed for employees to carry out their job responsibilities.

By ensuring employees only have access to data that is essential to their work-related duties and responsibilities, companies can significantly decrease the likelihood of finding themselves on the receiving end of a successful insider attack.

Conclusion

 With no clear ending date for the current COVID-19 pandemic, employers must implement the necessary protocols and technical safeguards to secure their networks and data while employees continue to work remotely. Remote working may very well become the "new normal," as employers seek to capitalize on the significant benefits offered by remote work arrangements. Thus, effective insider threat risk mitigation programs are also critical from a broader, long-term perspective. By adhering to the best practices described above, companies can put themselves in the best position to protect themselves from data compromise events stemming from insider threats and remote working arrangements—both during the COVID-19 pandemic and after.

To fully manage and mitigate the enhanced risk of insider threats tied to remote working, businesses should contact experienced legal counsel to ensure they have the proper policies and protocols in place to effectively defend against these potentially lethal security vulnerabilities. And if a business suffers a successful insider attack or other type of security incident during the COVID-19 pandemic (or thereafter), experienced counsel should be contacted to provide immediate assistance with rapid incident response and crisis management, which is key to minimizing the fallout and impact of a data compromise event.

Jeffrey N. Rosenthal is a partner at Blank Rome. He concentrates his complex corporate litigation practice on consumer and privacy class action defense, and regularly publishes and presents on class action trends, attorney ethics and social media law. He can be reached at [email protected].

David J. Oberly is an attorney in the Cincinnati office of the firm and is a member of the firm's cybersecurity and data privacy and privacy class action defense groups. Oberly's practice encompasses both counseling and advising sophisticated clients on a wide range of cybersecurity, data privacy, and biometric privacy matters, as well as representing clients in the defense of privacy and biometric privacy class action litigation. He can be reached at [email protected].