Addressing Insider Cybercrime

By James Robinson ·

In a previous blog post, I discussed what triggers insider threat within an organization. Understanding these threats is important so that your organization can take the necessary steps to prevent insider cybercrime. To help minimize the risk, organizations should maintain an open, two-way line of communication with their employees, especially following an event that could affect morale, such as layoffs. Organizations can also keep technology on their side by configuring their systems to recognize potential issues before they become big problems. 

Unfortunately, even the best preventative measures do not work 100 percent of the time. It is important to have a plan in place should your organization find itself the victim of insider crime. We know insider crime must be addressed as soon as it is discovered, but what should that response include?

Law Enforcement
The 2014 U.S. State of Cybercrime Survey found that 75 percent of organizations who have experienced a cybercrime do not involve law enforcement. This is a troubling statistic because it means that criminals are left unpunished for their attacks, and they are also free to be hired by other unknowing companies where they could wreak havoc again. When any type of crime occurs within your organization, it is essential to follow proper protocols and contact the police. Insider cyber perpetrators can range from a recently fired employee whose network access was not revoked in time, to a former employee who took company trade secrets or sales information to their new organization. 

Information and Forensic Data
This is your main source of evidence, so it is vital that you gather the necessary information and keep it safe from being altered or destroyed. Make copies of your data, and then make copies of your copies. Go into this situation with the mindset that you will stick with it all the way to the end, which will likely mean a trip to a court of law. You must be prepared to present an expert witness and testimony, and have all paperwork in order so you have the strongest possible case. To avoid the manual process of collecting evidence, your organization can invest in an enterprise forensic system. 

Legal and Public Relations
Your plan should also include how you’ll manage the legal and public relations aspects of dealing with an insider crime. Navigating these paths can be tricky, and I recommend leveraging a partner who can help from an organizational side.

Industry Reporting
If your organization finds itself dealing with even a minor breach, it’s still important to investigate and report the data to industry groups that study cyber trends. One issue we see with insider crimes is that organizations simply don’t report data, so we don’t know how big the problem is. By providing the industry with all information about an incident, your organization can help others keep the problem under control. 

If your response plan is standardized and put into action quickly, you can avoid catastrophe and hopefully bring a cybercriminal to justice.  

James Robinson

Vice President, Third-Party Risk Management

As vice president, third-party risk management, Robinson oversees Optiv’s Third-Party Risk Management practice which includes the development and operations of TPRM-as-a-Service and Evantix. During his tenure at Optiv, he has worked as a core contributor around strategic internal initiatives including threat management, risk management, third-party risk management, vulnerability management and data program protection. He also develops and delivers a comprehensive suite of strategic services and solutions that help chief experience officer (CXO) executives evolve their security strategies through innovation.