Don’t gamble with insider threats

For online gambling, the need for data security is obvious, given that every player’s name, address, email address, password and credit-card information are stored. With lots of money being processed every day too, operators need to be on their toes, watching every move – whether offline or on their servers.

Today, businesses are overwhelmingly familiar with the external cyber-security threats to their systems and data but rarely do they consider that their own trusted insiders – their employees, vendors or contractors – could be the source of a breach.

The news that a Gibraltar court fined a former BetVictor employee £2,000 for hacking into its systems after he had left the company demonstrates that the insider threat can take many forms and impact any business.

What’s also notable about the BetVictor case, however, is that it did not have an action plan for former employees. Removing access to data and systems upon termination immediately can significantly lessen the chance of a data leak. While the BetVictor hacker told police he had no malicious intent and was merely accessing a personal work file, businesses are taking a significant gamble by not having clear processes around revoking login details and by failing to understand the limitations of these legacy security approaches.

Traditionally, the technological solutions most often used to prevent data leaving a company have been data loss protection (DLP) tools. While effective, DLP agents focus solely on the data aspect of the equation, rather than the people aspect. Overlooking there is a person right at the centre of any insider threat incident. Equally, DLP tools typically rely on IT or security professionals to correctly configure, deploy and fine-tune them over time.

Given how the consumerisation of IT has led to end-users selecting the tools and technologies they want themselves, not to mention the rise of remote working, DLP solutions have limited reach. Eye spy Knowing what employees and other trusted third parties are up to is a crucial first step in mitigating the potential risk of an insider threat incident escalating into an actual breach.

Detecting a real threat can be difficult because understanding user activity and intent requires context. Gaming operators must look to establish systems that give them full visibility into user activity, enabling them to know exactly what every user is doing during every minute they are logged on to the IT system.

Security or IT teams should be alerted in real-time to suspicious activity, such as when users browse unauthorised content, contaminated websites, run peer-to-peer file-sharing sites or even copy and paste content into an unauthorised email account or instant messaging service.

Fortunately, visibility tools do not need to come at the expense of user privacy. Any data collected can be anonymised until an investigation is needed. This protects the cyber-security team member from unauthorised personally identifiable information access and protects the end user – the potential insider threat – from having their privacy compromised. It’s important to try and anticipate the events that could lead to an incident and create a gameplan to mitigate a breach happening. Indeed, statistics show that two out of three insider threat incidents happen by accident. Businesses must also properly evaluate how equipped their employees are.

Limiting access to potentially risky tools can help minimise the chance of a leak but the importance of establishing easy to-understand processes can’t be underestimated. Not only can good policy-making make people more accountable for their actions, but it also helps build a collective culture of trust.

Since people are at the centre of every insider threat, putting people first is essential when creating an insider threat programme. Think people, process, technology – in that order.