Insider threats are among the most dangerous cyberthreats out there. Yet, organizations of all sizes seem to be either reluctant or negligent when it comes to fighting them. Even though some companies have an insider risk management program, they have a limited cybersecurity budget for mitigating insider risk.1 Simply having an insider risk management program is insufficient to protect your corporate data from today’s sophisticated attacks.
This brief article will shed some light on the types of insider threats you must detect and mitigate, the damage they could cause, the user attributes that increase these risks and the security controls you should implement to prevent and defend against these threats.
Understanding insider threats
Simply put, an insider threat is an employee or contractor who, either wittingly or unwittingly, uses their authorized access to cause harm to your business. There are three types of insider threats businesses might fall prey to:
- Negligent insider: A careless or negligent employee or contractor who unwittingly lets a hacker access your business’ network.
- Criminal insider: A criminal or malicious insider who abuses his or her privileged access to your business’ network to either steal or exfiltrate sensitive data for either financial gain or plain old revenge.
- Credential theft: A credential thief who poses as an employee or a contractor to gain access to sensitive data and then illegally uses the data for financial gain.
The serious damage insider threats can cause
Even a single security breach caused by an insider threat can seriously damage your business in the following ways:
- Theft of sensitive data: Valuable data, such as customer information or trade secrets, could be exposed following a breach. Recently, a leading hospitality service provider experienced a data breach that compromised sensitive data, including credit cards and other confidential information about guests and employees.
- Induced downtime: The downtime following a breach impacts your business in more ways than one. As mentioned earlier, it can take a long time for you to ascertain the details of a breach and then control the damage. This period can drain your business resources as it did to a company that ultimately was forced to shut down permanently after a disgruntled employee deleted thousands of documents from its Dropbox account.
- Destruction of property: A malicious insider could cause damage to physical or digital equipment, systems, applications, or even information assets. A former employee of a leading tech company gained unauthorized access to its cloud infrastructure and deleted hundreds of virtual machines, jeopardizing access to thousands of users. The tech major had to shell out a hefty sum to fix the damage and pay restitution to the affected users.
- Damage to reputation: This is a guaranteed consequence of a security breach. Investors, partners and clients may immediately lose confidence in your business’ ability to protect personal information, trade secrets or other sensitive data.
User attributes that aggravate insider threats
The likelihood of a security breach caused by an insider could significantly increase due to:
- Unnecessary access provided to users who don’t even need it to perform their responsibilities
- Haphazard allocation of rights to install or delete hardware, software and users
- Usage of weak login credentials and inadequate password hygiene practices
- Users that act as a single point of failure because of lack of access control (a phenomenon common with CEO fraud)
Build a resilient defense against insider threats
As a business, you can undertake a list of security measures to build a resilient defense against insider threats as part of a proactive strategy rather than a reactive one. Some immediate measures you can implement right away include:
- Assess and audit all systems: Direct your IT team to assess and audit every system, data asset and user to identify insider threats and document them thoroughly for further action.
- Restrict access and permission controls: Not every employee needs to have access to every piece of data. You must review and limit unnecessary user access privileges, permissions and rights. · Mandatory security awareness training for all users: This measure is non-negotiable. Every user on your network must be trained thoroughly on cyberthreats, especially insider threats, and on how to spot early warning signs exhibited by potential insider threats such as:
- Downloading or accessing substantial amounts of data
- Accessing sensitive data not associated with the employee’s job function or unique behavioral profile
- Raising multiple requests for access to resources not associated with the employee’s job function
- Attempting to bypass security controls and safeguards
- Violating corporate policies repeatedly
- Staying in the office during off-hours unnecessarily
- Enforce strict password policies and procedures: You must repeatedly encourage all users to follow strict password guidelines and ensure optimal password hygiene.
- Enhance user authentication: Deploy enhanced user authentication methods, such as two-factor authentication (2FA) and multifactor authentication (MFA), to ensure only the right users access the right data securely.
- Determine “baseline” user behavior: Devise and implement a policy to determine “baseline” user behavior related to access and activity, either based on the job function or the user.
- Deploy ongoing monitoring to detect anomalies: Put in place a strategy and measures that will identify and detect abnormal/anomalous behaviors or actions based on “baseline” behaviors and parameters.
Detecting insider threats and building a robust defense strategy against them can be a tough task for most businesses, regardless of size. The right IT service provider can help you assess your current security posture, determine potential insider threats to your business, fortify your cybersecurity infrastructure and secure your business-critical data.