While cybercrime continues to escalate, many of today’s most damaging security threats are not the result of the traditional perception of malicious outsiders breaching a network to deliver malware. While that risk is real, a growing number of organisations are concerned about security risks resulting from insiders – individuals known to the organisation – who have access to sensitive data and systems.
Types of insiders
Insiders who introduce risk into an organisation can generally be broken down into three broad categories:
Malicious insiders. These are users who willfully cause harm through such activities as fraud, data theft, IP theft, and sabotage. Malicious insiders can include disgruntled employees with a grudge, an individual with a political agenda, a compromised user being leveraged to commit cyberespionage or cyberterrorism on behalf of a competitor, political group, or nation state, or simply someone who is behaving badly for monetary gain. When queried, 60 percent of companies indicated that they were concerned about this threat.
Negligent users. 65 percent of companies expressed concerns about this insider risk. This is an individual who, while not malicious, is still willfully side-stepping policy for the sake of productivity.
The risk from these users is high since they almost always have privileged access to systems and devices, such as databases and file servers. While they may not intend to harm the organisation, their negligence can have a significant impact on the organisation.
Careless users. 71 percent of organisations worry about this challenge as these individuals simply make careless mistakes that could lead to an inadvertent system failure, data breach, or accidental breach. This can be something as simple as clicking on a malicious attachment inside a phishing email or browsing malicious websites, to forgetting to secure a public-facing router or server.
People posing the most risk
Privilege is directly related to the potential impact of an insider threat. Many of today’s modern attacks are designed to escalate privilege, so even a temporary worker with severely restricted access can still create serious havoc inside an organisation. That threat can be compounded when more than one risk is present, such as a user who introduces malware into a network that also has implemented weak passwords or users misconfigured devices.
Resources most likely to be targeted
In addition to the general mayhem that can be caused by an insider, there are specific systems that are the most likely to be targeted. Because the majority of attackers are financially motivated, financial systems are at the top of the list of resources at risk. However, for industrial espionage attacks, research and development resources and customer support systems are top targets. The one thing almost all attacks have in common, however, is the targeting of data – whether to steal it or destroy it. And the king of data is customer information. User PII (personally identifiable information) that can be extracted and sold on the black market can generate significant financial rewards for an inside attacker. Close seconds are intellectual property that can be sold to competitors or held for ransom and financial data that can be used for such things as insider trading.
Insider threat on the rise
Over two-thirds of organisations believe that insider attacks have become more prevalent over the past year, with nearly half of companies reporting having experienced between one and five critical cyber incidents caused by an insider in the past twelve months. The reasons range from a lack of employee awareness and training to insufficient data protections in place. One of the most concerning trends, however, is the amount of data that now moves outside the traditional data centre perimeter due to the growth of mobile devices, an increased reliance on web applications, and the rapid transfer of data to the cloud.
The biggest challenge with these threats is that they are so difficult to identify. These insiders already have credentialed access to the network and services, so few if any alerts are triggered when they begin to behave badly.
What your organisation can do
There is no magic pill to make this challenge go away. It requires planning, implementing and repurposing technologies, and gaining a holistic view across your network. Here are 10 strategies that can be implemented to minimise the risk of insider threats:
- Train employees to see and report suspicious activity. In addition, run background checks on users being given privileged access to digital resources.
- Deploy tools that can monitor user behaviour and activities – including policy violation and leverage machine learning to detect unusual behaviour.
- Segment the network to limit activity to specific network regions. For more sensitive operations, a zero-trust model can be especially effective.
- Implement configuration management tools that can quickly assess and identify improperly configured device.
- Monitor data access and file transfers and invest in file tracking technologies.
- Implement a data loss prevention (DLP) process and related technologies.
- Strengthen identity and access management (IAM), including the use of multi-factor authentication.
- Encrypt data in motion, in use, and at rest. Invest in technologies that can inspect encrypted data at business speeds.
- Use a SIEM tool to correlate threat intelligence gathered from across the network to identify those ‘needle in a haystack’ events that are impossible to detect using manual correlation.
- Use deception technologies and honeypots to detect activity that strays from assigned tasks.
Addressing insider threats requires proactive efforts
Attackers continue to apply pressure across the entire attack surface looking for a lapse in protection of vulnerabilities to exploit. By combining deterrence and detection with automation, however, organisations can take a much more proactive approach to detecting and mitigating insider threats – while keeping critical security personnel focused on higher order tasks such as strategic planning and threat analysis.