publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/1519635
I L T A W H I T E P A P E R | S E C U R I T Y & C O M P L I A N C E 14 U S I N G E M P L O Y E E E N G A G E M E N T A N D T E C H N I C A L C O N T R O L S T O R E D U C E I N S I D E R R I S K provisioning process should be established to ensure that when a user departs from the organization, access to previous systems and account passwords are removed or changed so that the user can no longer access company resources. While minimal privileges can prevent significant, organization-wide changes, logical controls that require multiple users to authorize mission-critical system changes should also be used where possible (Common Sense Guide to Mitigating Insider Threats, Seventh Edition (cmu.edu), p. 79). Finally, although mitigations may be in place to reduce risk, in the event of a threat actor causing damage to an organization's systems, corrective controls such as data backups, configuration backups, and rollback plans should be utilized to return systems to normal operations. These backups and rollback plans should be tested regularly, as a backup plan should be considered not yet implemented until testing of the plan has been completed, noting mean time to recovery and mean time to resolve. Non-Technical Approaches to Reduce Insider Risk While technical measures are essential for safeguarding against insider threats, non-technical approaches also play a crucial role in mitigating these risks within legal firms and corporate legal departments. Non-technical strategies can reduce insider risk by increasing positive reinforcement and incentives and reducing negative environmental factors. Creating a positive work environment is paramount in reducing insider risk. Employees who feel valued, respected, and satisfied in their roles are more invested in the organization's success and less likely to engage in risky behavior that could compromise security. By fostering a culture of trust, transparency, and collaboration, organizations cultivate a sense of loyalty and commitment among employees and a culture of shared responsibility for information security. A sense of belonging and camaraderie among employees strengthens their commitment to upholding ethical standards and protecting sensitive information. Resentment and discontent can significantly increase the risk of insider threats. Organizations must address any underlying issues promptly and effectively. Addressing these issues may involve implementing conf lict resolution mechanisms, providing channels for employees to voice their concerns, and addressing grievances fairly and transparently. By promoting a culture of fairness and respect, organizations can reduce the risk of insider threats from internal dissatisfaction or disgruntlement. Employees who feel valued and see a future with the company are less likely to engage in risky behavior that could jeopardize their careers. Organizations should provide opportunities for career advancement and invest in employees' professional development. Continuous education and training are essential to any effective insider risk mitigation strategy. Organizations should provide regular security awareness training to all employees, highlighting the importance of confidentiality, data protection, and best practices for safeguarding sensitive information. By keeping employees informed about emerging threats and reinforcing security protocols, organizations empower them to be vigilant and proactive in identifying and mitigating insider risks. Employees should be educated on the potential consequences of their actions and the value of protecting proprietary information. Regular communication reinforces the importance of information security and keeps it at the forefront of employees' minds. Organizations should ensure employees understand what constitutes acceptable behavior regarding handling sensitive data and proprietary information and that information security policies and procedures are clearly communicated to all employees. Employees should be informed about security updates, best practices, and any changes in policies or procedures (SP 800-53 Rev. 5, Security and Privacy Controls for Information Systems and Organizations | CSRC (nist.gov), PS-1, Policies and Procedures). Creating a culture where employees feel comfortable reporting suspicious activities or security concerns without fear of retaliation is essential. Such a culture can be developed by acknowledging and rewarding employees who demonstrate a commitment to information security, recognizing individuals who report security incidents or implement security best practices in their daily work, and implementing anonymous reporting mechanisms to provide employees with a safe way to voice their concerns.