Only about one in seven Canadian organizations surveyed have a specific internal definition of what insider threats could be, even while nearly two-thirds of organizations say they’re prepared to handle them.
According to a report from the Conference Board of Canada, Preventing, Mitigating, and Managing Insider Threats, an inside threat is “any person who has the potential to harm an organization for which they have inside knowledge or access.” That person’s actions could have a negative impact on reputation, financial results, business continuity and more, the report notes, adding that insider threats should be included in organizations’ overall risk management strategies.
According to an article from Canadian Underwriter, only 14 percent of organizations surveyed have a specific working definition of insider threat, and only 19 percent report having employee training on managing internal threats. Still, 65 percent of organizations said they could handle most insider threats.
Other significant threats include:
- Privacy and Information breaches (94%)
- Workplace Violence (67%)
- Fraud (58%)
- Theft/Loss/Damage (53%)
According to Canadian Underwriter, the Conference Board offers the following steps for organizations looking to manage insider threats:
- Determine their risk tolerance for loss, damage, or disruption;
- Determine how the “insider threat” is defined across different internal management areas and departments;
- Change their focus from responding to insider threat incidents to preventing insider threat incidents;
- Provide employees with regular training on insider threats;
- Place more emphasis on identifying insider threat behaviours;
- Encourage ongoing communication between the organization and its employees;
- Develop clear policies around employee surveillance strategies;
- Clearly articulate roles and responsibilities for identifying and managing insider threats across the organization;
- Conduct more interdepartmental outreach to capture the insights of managers from different disciplines on responding to insider threat issues;
- Require interdepartmental insider threat teams to establish formal meeting times, practices, and procedures.