Protecting the Company Against Malicious Insiders

The breach at Sony Pictures Entertainment and the leak of client records at Morgan Stanley likely involved information attacks from a malicious insider. Malicious insiders take confidential internal information from a business for their own purposes. They can be current or former employees, contractors, business partners – anyone with access to the organization’s confidential personal or corporate information.

Organizations should observe this basic principle when they enter into employment and contractual relationships: Begin with the end in mind. At the beginning of the relationship, treat those who will have access to the company’s information similar to the way airport security treats travelers – as a potential threat – and take the extra precautions necessary to ensure security.

The approach should be “layered.” Airport security doesn’t rely solely on an identification card check or a baggage screening. It uses such things as screenings, random secondary checks, watch lists and locked doors. Organizations too can use a layered multi-disciplinary approach, embracing security, privacy, and information management.

To implement and enforce an effective program, personnel from the board level down need training that makes clear what kind of information is sensitive, protected or confidential, and what methods should be used to protect it. An effective program should also educate employees regarding malicious insiders – why they want information, how they steal it, how this hurts the company and how to report their actions, as well as what the consequences will be for the employee who does it.