You hear about it all over the news: companies that are victims to stolen data, sabotaged applications, unauthorized code and other digital misdemeanors. Believe it or not, a large chunk are due to insider threats: nearly 75%, in fact!

How do you make sure your company isn’t one of them?

If you haven’t read the first blog in this series, be sure to check it out here. In this installment, we continue to explore unethical situations, highlighting how you can successfully overcome insider threats.

How can unethical behavior affect your businesses?

When a company’s strategy includes unethical activities, end users often take the biggest hit. It risks a software user’s private data, identity, and assets associated with that identity. And once word gets out to the media, it results in irreversible damage to the company’s reputation. Two recent examples come to mind: the slowdown of older iPhone models by Apple, and the presumption of spying by Kaspersky Anti-Virus, which after reported to be stealing data was banned from use in the US administration.

However, when a single software developer or group of developers create morally questionable code, the consequences for the company can be even more devastating. While still damaging to the company’s reputation, there are other risks, too: from leaking data to competitors to disrupting internal processes, potentially bringing the entire business to a halt.

Whenever we at Luxoft’s information security practice carry out a risk analysis or security audit, we always determine whether insider threats exist and identify potential consequences. We create effective countermeasures after assessing motivations (e.g. if they don’t feel respected by team members or feel they are underpaid) and goals of potentially rogue employees. This way, we can pinpoint which individuals are most likely to plan an information leak (e.g. of intellectual property or company secrets), damage the business’s credibility in the eyes of users and investors, or completely disrupt the business’s operations and sabotage business opportunities (e.g. disclosing financial information before an acquisition).

How do companies fight insider threats and lower their impact?

Insider threats have some of the most severe consequences among security incidents, since employees are familiar with where they work and may know what can cause the most damage. At the same time, this type of threat is the most downplayed by companies of all sizes, from small mom-and-pop shops to major global entities. So it’s high time to start looking out for potential threats before they even happen.

And to do that, you need a complete end-to-end security environment.

First, you need to run a security assessment to identify areas that are at risk. Only then can companies start implementing high-level policies and communicating those policies to all their departments.

In addition to a rigorous information security policy, multiple internal processes are necessary to prevent or impede unethical actions from internal attackers. For instance, when building software, having a comprehensive history of who did what to the application, standardized code review process, code modification approval process and continuous static code analysis forms the foundation that drives the detection of unethical behavior among developers. Some example processes include:

Dual control: A task considered to be highly sensitive requires at least two people to carry it out, decreasing the chance of fraud
Segregation of duties scheme: Different tasks considered to be highly sensitive cannot be carried out by the same person, distributing power among coworkers. For example, a software developer who creates the code cannot also approve and deploy code changes in production.

Lastly, don’t forget about your employees and co-workers! In my previous blog, Stack Overflow’s survey found 80% of respondents to think software developers are obliged to consider ethical implications when writing code. In addition, over 95% would report these issues when they arise. Companies need to leverage that moral drive and enable developers to oppose and act on unethical problems without fear for repercussions. Organizations can do this by creating an engaging security culture, adopting a whistleblower policy and strengthening their security posture by implementing holistic strategy and contextual controls.

Making your security framework successful is still a difficult task, as every company faces different challenges. But with the help from a valuable partner that knows your specific business needs, you can rest assured you’re getting assistance from top security experts that live and breathe technology.

Q: How can you protect your business? A: You can’t do it alone.

As businesses continue to digitalize, insider threats ensnare them more and more. Minimizing these threats is becoming a top priority for organizations across all sectors.

We at Luxoft can help your business overcome these threats before they even happen.

We equip the appropriate armor your business needs to protect from both inside and outside forces. We secure software development and beyond, while adhering to best practices around security assessments, process and policy design, strategy and management. With deep knowledge across industries, we deliver what’s necessary for every business to survive, both now and in the future.

For more information, contact us by clicking here.

Marcin Swiety
InfoSec Director, Luxoft Digital
Marcin Swiety
A seasoned Information Security professional dedicated to business and delivery management in cybersecurity space. He has built and managed internal and external Information Security Services in areas like Data Center, Infrastructure, Network, Outsourcing and Software. He is a white-hat expert and decorated cybersecurity veteran, holder of CISSP, CISM, CISA, CEH, WCSD and ITIL certifications. He is passionate about how InfoSec can play a business enabler role for the digital transformation era.