Texas Presbyterian Foundation

The Increasing Risk of Insider Threats

By Mary Beth Foster, TPF’s Director of IT

Insider threats are a plague to companies throughout the world, and unfortunately, churches and non-profits face these same threats. What exactly are insider threats, and how can they affect you?

According to Wikipedia, an insider threat is “a malicious threat to an organization that comes from people within the organization, such as employees, former employees, contractors, or business associates, who have inside information concerning the organization’s security practices, data and computer systems.” In general, the most common types of insider attacks include fraud, the monetization of sensitive data, sabotage, intellectual property theft, and espionage. However, more often than not with churches and non-profits, the threats are not so nefarious, but are the result of a negligent or an over-casual approach to security controls. Because churches and non-profits are altruistic organizations, the overarching mentality when it comes to managing employees is one of inclusion and trust. Often, users are given more access than they need with not enough restrictions when it comes to key business applications.

So, what creates the vulnerabilities that allow for insider threats? While the contributing factors always vary, there are three main situations you need to be aware of and make every effort to actively manage in order to prevent insider threats:

  1. Carelessness, or lack of security training: Think about an employee who has access to sensitive personal or financial information. This person leaves his or her desk for several minutes (or hours) without locking the screen. Or even worse, locks the computer with the password to unlock it on a sticky note attached to the monitor. Someone with malicious intentions can easily gain access to information during the employee’s absence.
  2. Disgruntled employees: Often the insider threat comes in the form of a disgruntled employee with access to excessive amounts of sensitive data which could be used to potentially hurt the organization. To successfully maintain the integrity of your data, users should ONLY have access to the information necessary to accomplish their job or mission, and no more.
  3. Mobile devices: The constantly increasing number of mobile devices with access to sensitive data is another area of concern. Organizations need to have policies to ensure the devices that have access to sensitive data are adequately secured with passcodes and can be tracked and wiped in case of loss or theft.

It is the responsibility of each organization to protect the personal information of your congregations and supporters from these attacks. To do this successfully, it is imperative that you carefully monitor your data, business applications, wireless access security, servers, desktops, laptops, mobile devices, and your users!