Insider Threats: Employees and Your ITAM/ITAD Processes

2021 continues to be a year of training for businesses of all sizes regarding their IT Asset Management and IT Asset Destruction processes.

The new threats from a workforce now working remote have forced many companies to wonder, quite frankly, who is touching their stuff. The dangers of not knowing could be anything from negligent employees who lack training regarding disposing of their old laptops to groups of people who see a potential for making money.

You may remember a story that recently resurfaced due to lawsuits. In 2016, Morgan Stanley had a data breach after they closed two data centers and decommissioned the computer equipment in both locations. They contracted with a vendor to remove the devices’ data; however, devices believed to have been wiped of all information still contained some unencrypted data (and made their way back into the community). That subsequently left them open to lawsuits on behalf of clients concerned about their personally identifiable information being breached. While these incidents happened before Covid-19, the increase in remote workforces and the complications of new IT asset management processes have made this a growing threat.

So the question becomes, do you know who is touching your equipment, and how are you checking? And more importantly, who are you contracting to help you?

Immediate Threats in Your ITAM Process

• Unexpected Insiders – Insiders now potentially include friends and family members of your remote workforce. According to surveys, there is now an increase in sharing of devices within homes across businesses. Your employee or contractor may not even realize the risk they are posing. Let’s consider that they happen to “borrow” a device from their spouse because they have an issue with theirs. They are now opening up to potential risks that your employee knows to avoid. The family member becomes the one to click the phishing link. Training must now include reinforcing how NOT to allow well-intentioned family members to borrow devices. What seems harmless could be a huge problem.
• Malicious Employees – These are folks who like the lack of security in their remote work setting and are willing to use it for their gain. They typically fall victim to offers to make money. They often reveal themselves when they are reprimanded or fired. We now see a need for companies to focus more heavily on communication between their HR team and their IT team. When an employee was terminated in the past, it may have been easy to walk in and remove their equipment. You must have processes with a remote workforce to ensure an employee isn’t fired before their ITAM security process has been discussed or deployed. Allowing a rogue employee to maintain access to your equipment while you figure out how to secure it is a disaster waiting to happen.
• Increased Contractors and Consultants – Many companies have increased their use of consultants during COVID-19 to decrease full-time employee costs and benefits. While this may be a solid strategy, it’s also increasing the potential risks of these people having access to your systems. You mustn’t make hasty decisions that could allow improperly vetted or trained consultants into your network. Often these threats to the ITAM process are not intentional, and they happen to good people. Hiring a consultant who doesn’t understand the considerable danger of their lack of security is a growing threat. Almost all businesses with consultants are exposed to this. You will want to consider if it makes better sense to provide them with the equipment needed to do the job or how you will manage the security if they are using their equipment but accessing your systems.

Vetting Your ITAM/ITAD Vendors

In its most straightforward description, you need a process or lifecycle solution to manage new IT asset acquisitions, understand who is touching what equipment, and what happens at the end of their life. You may decide to use a vendor to do all or a portion of this process. We find that when companies select a vendor for destruction, they often overlook critical steps in the process. Here’s how to not let that happen to you.

• Check References – Most cases of harm caused by improper destruction of equipment happened at the vendor level. You can learn a lot by checking references. We recommend asking for similar businesses and contacts. Be willing to make the call.
• Be Willing to Pay – Another critical reason for threats caused by improper disposal comes from lack of budget. Equipment removal can indeed be more of a hassle as it may now spread across a state or region. That can run up costs. Additionally, many companies are willing to forego upfront fees because they know they will make their money on the backend. The problem occurs as they often improperly destroy data (or don’t do it) before selling the equipment for their profit.
• Check Their Insurance – Professional liability insurance protects your business from data-related liabilities. Suppose your data is compromised while in a vendor’s possession, there could be harmful financial and legal consequences. There is a solution. The right ITAD partner would have insurance so that both their expenses and yours are covered in the event of a data-related liability.
• Check Their Certifications and Affiliations – Organizations like NAID promote a standard of best practices across service providers. It’s essential to check for things like NAID affiliations and certifications. This ensures that you select a partner who spends both the time and money to have processes that protect you.

Why Insider Threats Are Dangerous

Insider threats often have a massive impact on your IT assets and the processes you put in place to protect them. WIth COVID- 19, these threats are even more challenging to detect and contain. Recent polls show that employers and management have felt like they are fighting a moving target with a remote workforce.

• Know your primary assets: Insider threats often target your proprietary information, product information, business plans, company funds, IT systems, equipment, and more.
• Protect financial risks: As we’ve shared in prior blogs, a study by the Ponemon Institute estimated that the average cost of insider threats had increased 31 percent to $11.45 million in the last two years. These costs include downtime losses, loss of business transactions, loss of business opportunities, and more.

Don’t Wait to Protect Your Business

Although the consequences of insider threats may be disastrous, you don’t have to face this problem alone. If you wonder how you can mitigate these threats and prevent losses, we’ve got you covered. Reach out to us today to understand the different ways by which you can build a resilient cybersecurity posture against insider threats to your ITAM and ITAD processes.

For more information on vetting your ITAM vendors, download our IT Asset Management Vendor Due Diligence Checklist and hear from our president, Joe Harford, as he breaks down each section of the checklist.