Many security systems are designed with a primary goal in mind: to prevent hackers from getting into the network. That's a good beginning because, according to the Verizon Data Breach Investigations Report 2018, nearly 75 percent of data breaches and attacks come from the outside.
However, that also means a quarter of security threats come from within the organization. These threats are hard to defend against, because they come from the people who have authorized access to the network and data and whose behavior doesn't set off red flags. Yet, insiders are capable of doing serious damage to the business, financially and reputationally.
What is an insider threat?
Insider threats come in different forms. First is the accidental insider threat, which occurs when the employee makes an innocent mistake. It could be clicking on a malicious link in a phishing email, emailing sensitive files to the wrong person or leaving a laptop unattended. The employee means no harm to the company, but it creates a security incident.
Malicious insiders are those employees who do mean to cause harm. These people purposely manipulate or steal company information or sabotage the network.
Then there are the insiders who have access permissions but shouldn't. Former employees fall into this category. They leave their job, but the IT department hasn't revoked permissions, giving the former employee free rein to access former accounts. Third-party vendors and consultants, as well as current employees, can also fit into this type of insider threat. They are allowed in certain areas of the network but use their permissions to access unauthorized databases and files. Again, these activities aren't necessarily malicious, but they do mean the data has been breached, which could come at a financial loss for the company with the new strict data privacy regulations.
Insider threats come with a cost. According to Ponemon Institute's 2018 Cost of Insider Threats: Global, a negligent incident by an insider costs $283,000 on average. If the threat involves stolen credentials, that cost rises to more than $600,000 per incident. The larger the company, the more it costs to mitigate the threat.
Insider security incidents cause loss of proprietary and confidential information and can damage an organization's reputation, but most cases are preventable. Let's look at both no-tech and high-tech solutions.
So, where do you start? You can begin preventing insider threat issues by implementing these measures:
- Create a data use policy.
- Educate employees.
- Review user privileges periodically.
- Establish a culture of accountability with managers.
A data use policy, usually part of an acceptable use policy (AUP), spells out what employees may and may not do with information owned by or entrusted to an organization, referring to security, privacy and proper management. Employees must be presented with the data use policy and educated on the purpose of data protection and privacy, and the consequences of breaking the rules.
Regarding user privileges, "one of the most important – and most often overlooked – controls is conducting frequent user account reviews," said Mike Chapple, associate teaching professor of IT, analytics and operations at the University of Notre Dame. "These reviews should watch for unnecessary accounts that were not disabled and for permissions assigned to accounts that are no longer necessary. Privilege creep is one of the major issues leading to insider attacks."
According to Jeff Jenkins, vice president and chief internet security officer for First Advantage, another effective no-tech solution is to establish a culture of accountability with managers through acknowledgments or attestations, ensuring they understand their responsibility for the actions of their staff.
"From a more positive perspective, it is also useful to engage personnel managers to aid in the training, monitoring and enforcing of desirable behaviors from their employees," he said.
If your organization has the budget to invest in a tech solution to protect against insider threats, these are some of the most effective:
- Data loss prevention (DLP)
- Identity and access management (IAM)
- User activity monitoring (UAM)
- User entity and behavior analytics (UEBA)
DLP, according to Chapple, "monitors the network for signs of unauthorized exfiltration of sensitive information. DLP can catch data that matches obvious patterns, such as credit card numbers or Social Security numbers, and it can also watch for files that match the signatures of sensitive intellectual property."
IT administrators use IAM to control user access to secure systems, applications and documents, usually through the use of single sign-on. A user can log in to the SSO and be granted access to various applications on a network.
UAM monitors an organization's IT environment and collects real-time user activity data, such as emails and internet uploads and downloads. To be effective, a UAM solution usually works with some type of security information and event management system (SIEM) to send alerts to administrators when something suspicious arises.
A UEBA solution crawls large amounts of data gathered from IT logs and data from network applications and endpoints to find patterns of abnormal behavior, which may point to an insider threat. This type of solution is relatively expensive and requires some expertise on the part of the IT staff in deciphering alerts and reports.
"Although UAM, IAM and UEBA are certainly the more prevalent technologies that security leaders are using or considering for insider-threat detection, it's hard to ignore some of the basic technologies ... such as network segmentation, DLP and endpoint restrictions (limiting admin rights, prohibiting USB devices, etc.) to help combat employees from misusing systems or data," Jenkins said. "Organizations that are serious about preventing insider threats have to give consideration to all forms of security controls, preventative and detective, even if older and more restrictive measures like endpoint restrictions aren't considered popular by employees."
Jenkins also warns against infringing on an employee's privacy rights, especially in countries outside of the U.S. "There can be some challenges regarding deploying controls to limit insider threats, namely for global companies doing business in EMEA or APAC countries. Differences in the way countries in those areas perceive security or a company's right to monitor employee computer activity can cause difficulties, ranging from employees misunderstanding their security responsibilities to the inability to deploy some of the recommended controls. Organizations should explore these challenges well in advance of trying to roll out security measures in international locations."
Much like with budgets, having a plan in place for insider security makes any issues that crop up easier to tackle. Start by making a list of the data you need to protect from insiders, create a rollout plan for any of the no-tech solutions mentioned in this article, and get some data sheets and pricing on DLP, IAM, UAM and UEBA solutions.