In an increasingly digital world, cybersecurity for the information and data that law firms and other counsel are entrusted with is more important than ever. Complex passwords, multi-factor authentication, and firewalls are essential defense mechanisms, but they often fail to address a significant risk vector: the employee, an insider. Optiv defines insider risk as “the potential for an employee or other person with legitimate system and data access to negatively impact an organization’s people, data, or resources” (Insider Risk | Optiv).
Ponemon Institute’s 2023 Cost of Insider Risks Global Report (Ponemon Cost of Insider Risks Global Report – DTEX Systems Inc) notes that the costs of insider risk are at an unprecedented high. In 2023, the average annual cost of a data breach from insider risk was $16.2 million per organization, up from $15.4 million in 2022. Typically, these data breaches take about three months to contain. Moreover, the 2023 report revealed that the most significant costs of insider-related data breaches are accrued after the incident occurs due to containment and remediation efforts.
While insider risk can never be eliminated, it can be reduced through technical and non-technical controls and by leveraging employee engagement.
Insider Risk Explained
When exploring how to reduce insider risk, it is vital to understand the differences between unintentional insider risk and intentional insider risk. Organizations experience harm from unintentional insider risk when an employee or another person closely associated with the organization is negligent or becomes complacent when handling data. Careless insiders can compromise data security by losing a laptop with unencrypted data, sharing a password with an unauthorized individual, clicking links in a suspicious email, or any other negligent act where due regard for data security is not observed. Complacency can also contribute to unintended data loss when insiders fail to follow proper security protocols, such as not updating applications and operating systems, dating applications and operating systems, using or reusing weak passwords, or not following data deletion best practices. In 2023, these non-malicious insiders accounted for 75% of all insider risk incidents (Ponemon Cost of Insider Risks Global Report – DTEX Systems Inc, p. 5).
Intentional or malicious insider risk incidents involve individuals who work in an organization and deliberately seek to cause financial or reputational harm to that organization. These events can be organized into several categories: espionage or intellectual property theft, intentional unauthorized disclosure, sabotage, fraud, and workplace violence (Insider Types | MITRE Insider Threat Research & Solutions). Of these, one of the most concerning and one that must be addressed and hopefully prevented with employee engagement is insider workplace violence. The UK National Protective Security Authority defines this to include “any action or threat of physical violence, harassment, sexual harassment, intimidation, bullying or other threatening behavior by a co-worker in the workplace.” As one could imagine, an intentional breach by an insider would be the costliest. While less frequent, the average cost per incident topped $700,000 in 2023 (Ponemon Cost of Insider Risks Global Report – DTEX Systems Inc, p. 9).
A Technical Approach to Reduce Insider Risk
Technical controls are one mitigating step an organization can take to reduce the risk of insider threats. Detective controls, like auditing, provide accountability for privileged and regular users alike while offering the ability to monitor for unusual behavior of users that may indicate attempts at data exfiltration, data smuggling, and unwanted system modification. Preventative controls work together with detective controls to reduce the load on analysts and disrupt known malicious behaviors. These controls include proper account provisioning and de-provisioning, minding least-privilege access management best practices, separating duties for critical system changes, and having strict remote access controls. Finally, if a malicious act is performed, corrective controls, such as data backups, can restore systems to functioning and allow the organization to return to normal operations.
Detective controls are an essential type of control that organizations can use to alert an organization of the first signs of suspicious activity and be used as evidence when a suspicious activity occurs. Auditing and alerting network logs allow organizations to detect anomalies in user data upload and download rates; compared with regular user activity, these anomalies can indicate data exfiltration outside the company network or data smuggling. CISA (Cybersecurity and Infrastructure Security Agency) notes explicitly that User Behavior Analytics (UBA) software can be used to help identify these anomalies and quickly alert analysts of unusual user behavior (Insider Threat Mitigation Guide (cisa.gov), p.39). Host-based actions should also be logged and reviewed regularly, especially for mission-critical systems, as not all illicit actions are conducted via network communications (Common Sense Guide to Mitigating Insider Threats, Seventh Edition (cmu.edu), p. 83-4).
Logs outside of business hours should also be investigated to determine the actions taken, purpose, and validity of the events, as a user may be attempting to hide malicious activity during minimally reviewed times. Preventative controls assist in auditing and mitigating insider threats by preventing malicious actions from taking place. When provisioning user accounts, least privilege permissions should be utilized to ensure that users only have access to systems and applications required for their job duties. Consequently, a thorough and reliable user de-provisioning process should be established to ensure that when a user departs from the organization, access to previous systems and account passwords are removed or changed so that the user can no longer access company resources. While minimal privileges can prevent significant, organization-wide changes, logical controls that require multiple users to authorize mission-critical system changes should also be used where possible (Common Sense Guide to Mitigating Insider Threats, Seventh Edition (cmu.edu), p. 79).
Finally, although mitigations may be in place to reduce risk, in the event of a threat actor causing damage to an organization’s systems, corrective controls such as data backups, configuration backups, and rollback plans should be utilized to return systems to normal operations. These backups and rollback plans should be tested regularly, as a backup plan should be considered not yet implemented until testing of the plan has been completed, noting mean time to recovery and mean time to resolve.
Non-Technical Approaches to Reduce Insider Risk
While technical measures are essential for safeguarding against insider threats, nontechnical approaches also play a crucial role in mitigating these risks within legal firms and corporate legal departments. Non-technical strategies can reduce insider risk by increasing positive reinforcement and incentives and reducing negative environmental factors.
Creating a positive work environment is paramount in reducing insider risk. Employees who feel valued, respected, and satisfied in their roles are more invested in the organization’s success and less likely to engage in risky behavior that could compromise security. By fostering a culture of trust, transparency, and collaboration, organizations cultivate a sense of loyalty and commitment among employees and a culture of shared responsibility for information security.
A sense of belonging and camaraderie among employees strengthens their commitment to upholding ethical standards and protecting sensitive information. Resentment and discontent can significantly increase the risk of insider threats. Organizations must address any underlying issues promptly and effectively. Addressing these issues may involve implementing conflict resolution mechanisms, providing channels for employees to voice their concerns, and addressing grievances fairly and transparently. By promoting a culture of fairness and respect, organizations can reduce the risk of insider threats from internal dissatisfaction or disgruntlement.
Employees who feel valued and see a future with the company are less likely to engage in risky behavior that could jeopardize their careers. Organizations should provide opportunities for career advancement and invest in employees’ professional development. Continuous education and training are essential to any effective insider risk mitigation strategy. Organizations should provide regular security awareness training to all employees, highlighting the importance of confidentiality, data protection, and best practices for safeguarding sensitive information. By keeping employees informed about emerging threats and reinforcing security protocols, organizations empower them to be vigilant and proactive in identifying and mitigating insider risks. Employees should be educated on the potential consequences of their actions and the value of protecting proprietary information.
Regular communication reinforces the importance of information security and keeps it at the forefront of employees’ minds. Organizations should ensure employees understand what constitutes acceptable behavior regarding handling sensitive data and proprietary information and that information security policies and procedures are clearly communicated to all employees. Employees should be informed about security updates, best practices, and any changes in policies or procedures (SP 800-53 Rev. 5, Security and Privacy Controls for Information Systems and Organizations | CSRC (nist.gov), PS-1, Policies and Procedures).
Creating a culture where employees feel comfortable reporting suspicious activities or security concerns without fear of retaliation is essential. Such a culture can be developed by acknowledging and rewarding employees who demonstrate a commitment to information security, recognizing individuals who report security incidents or implement security best practices in their daily work, and implementing anonymous reporting mechanisms to provide employees with a safe way to voice their concerns.
One of the best ways to reduce insider risk is to eliminate the risk before it can materialize. Implementing thorough background checks and vetting procedures during hiring should be standard practice for most organizations. Organizations can identify potential red flags early on by conducting comprehensive screenings, including criminal background checks, reference verifications, and employment history checks. Verifying educational and professional credentials helps ensure that employees possess the qualifications and integrity for handling sensitive legal matters. Similarly, exit interviews and offboarding procedures offer a last chance to prevent data loss. Organizations should conduct thorough exit interviews and ask departing employees to sign, confirming no company files are being taken. Additionally, offboarding procedures should ensure that all access to sensitive information is revoked promptly. This process helps to mitigate the risk that former employees may still have access to company systems or data after their employment has concluded (SP 800-53 Rev. 5, Security and Privacy Controls for Information Systems and Organizations | CSRC (nist.gov), Personnel Screening and Personnel Termination).
Conclusion
Both technical and non-technical measures are vital for reducing insider risk in the legal industry and play a crucial role in fostering a culture of security awareness to minimize the likelihood of security breaches. Law firms and corporate legal departments can effectively mitigate insider risk and safeguard sensitive information by implementing adequate technical controls, promoting a positive work environment, addressing resentment and discontent, and strengthening employee engagement.
Scott Busch brings over a decade of leadership in international team management across the legal, real estate, and tourism sectors. As a member of Ogletree Deakins’ information security team, Scott focuses on Governance, Risk Management, and Compliance (GRC), and third-party risk management. His career demonstrates strategic vision and dedication to excellence, and his diverse experience is complemented by a commitment to lifelong learning.
Ethan Powell is an IT Security Analyst at Ogletree Deakins, focusing on incident response and vulnerability management in the legal environment. He can adapt to many situations and is dedicated to consistent and continuous learning about the ever-changing security landscape.
Joshua Smith is an experienced information security manager with a demonstrated history of success in higher education and legal verticals. He holds a CISSP and is skilled in information security operations, GRC, and problem-solving, as well as solution development and customer service. Dedicated to continuous improvement through learning and contributions to the profession, Joshua currently leads the Information Security GRC team at Ogletree Deakins.
