When you think of insider threats as part of your IT security strategy, you likely focus on preventing rogue employees from performing malicious attacks or restricting their ability to steal precious data. What if, instead, these employees have no malintent, but represent insider threats due to either ignorance or negligence? What can be done?
Both employee negligence and ignorance remain the number one cause of most insider security events, as reported in CSO’s 2017 U.S. State of Cybercrime Survey. According to the survey, of all security-related incidents 54 percent were caused by employees, and of these incidents, 28 percent of insider security incidents were unintentional or accidental, 18 percent were intentional, and 8 percent resulted from the theft of insider credentials.”
These statistics show that there is far more going on behind the scenes than what you might initially believe. Let’s review the basics when it comes to insider threats in cybersecurity, and then examine three insider threat solutions you can implement to protect your organization immediately.
But first, let’s make sure we’re all on the same page about the specific types of insider threats you need to be protecting against. We will begin by examining insider attacks—what it means and the various kinds of threats to put on your radar.
What Is An Insider Threat?
The most common insider threats are usually a trusted employee or contractor that is granted a higher level of trust than an outsider would be. This trust is established through some primary means of authentication followed by authorization to private assets.
Now let’s review the difference between an insider threat and insider attack. While insider threat may not be malicious, an insider attack, simply put, is an attack executed on a computer system by an insider with malicious intent who has authorized system access. In most cases, there is less security against insider attacks because many organizations focus on protection from external attacks.
Malicious Insider Threats
In preparing your strategy for combating insider threats, it is essential to acknowledge the most common types of insider attacks. The first group of insider threats is malicious threats. The primary forms of malicious insider threats include the following:
- Intellectual property (IP) theft
- IT sabotage
Additionally, insider threat-related activity can consist of access to sensitive files, unauthorized software installations, and web-browsing activity.
This leads us to a second, most common, type of insider threat: unintentional, non-malicious threats. Later we’ll discuss how by educating employees you can help to prevent these types of threats from negatively impacting your organization.
The following are some of the most common threats caused by insider negligence:
Unintentional sensitive information disclosure
An employee unintentionally discloses sensitive information to external parties such as sending email to or replying to an email (and including) wrong email address, not paying attention to information classification marking and storing sensitive documents on a wrong place.
An employee is pointed to a malicious and illegitimate website by redirecting the legitimate URL. Even if the URL is entered correctly, it can still be redirected to a fake website.
Fake emails, text messages, and websites created to look like the sender is from a trusted person or an authentic company. They’re sent by criminals to steal personal and financial information from you and your employees.
Malware is malicious software that infects your organization’s computers. Some examples include the following: computer viruses, worms, Trojan horses, spyware, and adware.
A type of malware that restricts access to your computer or your files and displays a message that demands payment for the restriction to be removed. The two most common means of infection appear to be phishing emails that contain malicious attachments and pop-up website advertisements.
As with all security strategy, you should develop your interpretation based on your specific business needs. Now, let’s move on to the first of our solutions to protect against insider threats in cybersecurity.
What’s the Impact to Your Business?
Before outlining your strategy, you must look at what is at stake from insider threats at your company. The most common risks to your company consist of the following:
- Revenue: According to a global study of insider threats, the average cost of a cybersecurity breach involving employees or others within an organization is $8.7 million. Organizations where security breach occurs usually loses the trust of its customers who take their business elsewhere.
- Competitive Advantage: Insider threats often result in private or proprietary information going public.
- Reputation: Once an insider threat is caught and revealed to the public, trust in your organization is diminished.
- Loss of organizations productivity: Each insider-related security event requires a lot of man-hours associated with detection, containment, clean up, communication, and more. Large groups of employees will have to spend time dealing with the event consequences vs. their regular tasks which impacts organization’s productivity.
Insider Threat Solutions
If you fail to address insider threats, you could be putting your organization in harm’s way. What’s at stake is your company’s competitive advantage, reputation, and revenue, additional operational cost.
Additionally, if you’re held to HIPAA, PCI or SOC compliance regulations, but fail to meet these security minimums, you could incur fines and face legal repercussions, loss of revenue, and lose business opportunities. Insider threats are real and not uncommon. Fortunately for you, however, there’s plenty you can do to decrease your risk of harm implemented by one of your trusted insiders.
Before we dive into the solutions, there is a prerequisite step required by the organizations, which will help to build the foundation of the future security efforts. Prior spending time and money on protection, each organization must define what information assets are worth protecting.
Data Classification: You Must First Determine What’s Worth Protecting and to What Degree
Now that you have a clear idea of what’s classified as an insider threat, you should prioritize what needs protection using data classification. For example, your customer’s data, your financials, and your proprietary data are more valuable than your administrative documents, and therefore, require a higher level of protection.
You’ll want to note the following:
- What form is your data stored in (electronic or physical)?
- Where is the data stored?
- How is the data accessed? Who has access what data (employees, managers)?
- How are changes logged?
- What controls are in place to secure the data?
Critical assets can be both physical and logical and can include facilities, systems, technology, and people. A critical asset can be thought of as something of value that if destroyed, altered, or otherwise degraded would impact confidentiality, integrity, or availability. This would have a severe negative effect on the ability of the organization to support essential missions and business functions.
Now that we have an idea of what we want to protect and what form it has, we will cover three insider threat solutions that will help you protect your IT system from all types of security breaches–both negligent and intentional.
Insider Threat Solution Step #1: Educate Employees on Data Security, Security Policies and common security threats
When developing your insider threat strategy, your first solution should be centered around prevention through education. Employees need to understand what security policies and procedures are in place, why they exist, and what security measures protect your network. Informed employees are your first line of defense!
A consistent, clear message on organizational policies and controls will help reduce the chance that employees will inadvertently commit a crime or lash out at the organization for a perceived injustice. Your company’s data security training program curriculum should be focused on the following information to be as effective as possible in preventing accidental insider cybersecurity threats:
- Different types of information assets, how to classify and recognize them
- Policies and procedures associated with good asset management, risk recognition, assessment and mitigation
- Selection of applicable security controls to mitigate identified risks
- The importance of security event detection and incident response
- Different roles, responsibilities, and interactions of company employees
- Common threats which employees may have to deal with – phishing, viruses and malware, communication principles – internal and with third parties
One primary goal of data security education is to get your employees to buy into the idea that security is essential. Educate them on the value of company data. Zero in on crucial areas such as the different types of data, what’s shareable and what’s not, and why access controls are critical.
By implementing comprehensive, mandatory training for all employees with high-level system access, you will be taking a vital step in reducing–and ideally–preventing insider threats at your company. Furthermore, this training must be consistently repeated annually–at the minimum– to be as effective as possible to instill a sense of security in your organization.
Insider Threat Solution Step #2: Protect Your Infrastructure
The next recommended solution for protecting your company’s data from insider attacks is to focus on protecting your IT infrastructure. This is a vital step to ensure your organization’s key facilities and systems are adequately secured. You can do this by following our 5-step process: identification, prevention, control, detection, and incident response.
Step 1: Identification
To begin, identify all potential risks that could affect the assets’ security in your organization by building your risks universe. You should document every known scenario, and collect ideas across every department. Once you have determined possible threats, you want to define the mitigation option(s) for each before you find yourself up against an insider attack.
Step 2: Prevention
A solid, detailed plan for addressing risks is the foundation for proper threat prevention. As part of your prevention plan, check if adjusting processes or activities can reduce the potential risks, or minimize impact from possible adverse events. Utilize warning messages, such as the message of the day (MOTD), login prompts, and notifications as a deterrent to insider attacks. The MOTD below notes proper use so that employees are aware of the acceptable behavior. This type of prevention-based strategy is useful in many circumstances when dealing with insider threats:
“This computer system is the private property of [company name]. It is for authorized use only. Users (authorized & unauthorized) shall not have an explicit/implicit expectation of privacy.
Any or all uses of this system and all files on this system may be intercepted, monitored, recorded, copied, audited, inspected, and disclosed to your employer, to authorized sites, government, and/or law enforcement personnel, as well as authorized officials of government agencies, both domestic and foreign. By using this system, the user expressly consents to such interception, monitoring, recording, copying, auditing, inspection, and disclosure at the discretion of such officials.
Unauthorized or improper use of this system may result in civil and criminal penalties and administrative or disciplinary action, as appropriate. By continuing to use this system, you indicate your awareness of and consent to these terms and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the conditions stated in this warning.”
Aside from these messages that detail what you should and should not do, implementing proper operational processes is also essential. This includes role segregation, access limitation and management, and change control.
An often overlooked method for prevention is implementing asset management and movement tracking processes. Asset movement tracking is part of the asset management process that will support your awareness and ability to locate different assets at any point in time. This is important because assets that store sensitive information can be moved from one facility to another and get lost or damaged during such a move, therefore, taking care to mitigate such risks is essential. To address assets and data decommissioning needs, you must be able to know where the relevant data resides – at a physical location, component, and application level.
Step 3: Control
During this phase, your focus is on insider threat control and the solutions you can implement to better protect yourself when facing an attack. Start by incorporating the ability to centrally manage accounts and account access. Streamlining access control speeds up your ability to investigate any issues, like find an account and limit its access if necessary. There are a number of tools and methods that help you control access on a database, system, or file level.
- Access and identity management is one of the controls on which organizations rely to manage users, privileges and access to different resources. Utilizing access management can reduce the risks from internal threats by limiting sensitive assets (both tangible and intangibles) to those who need such access. Additional level of access control security can be achieved by adding a second factor of authentication. Multi-factor authentication refers to the use of two or more of the following credentials to allow access to your account: something you know (e.g. a password)
- something you are (biometrics, such as fingerprint or retina scans)
- something you have (e.g. a security code sent to your mobile phone—this could be an SMS message, a code generator application, or a list of codes that you can save and print in the event you lose your mobile device)
Beyond helping thwart unauthorized access to accounts, multi-factor authentication can warn users that someone is trying to log into their account. If a sudden code request is sent to users’ mobile phone, for example, they are immediately alerted to the suspicious activity.
Firewalls are a powerful tool you can layer in to protect unwanted traffic from connecting to your networks and segregate sensitive areas within your network from other more risky areas. Unwanted traffic can refer to anything that tries to connect to your network, from mobile phones and wearables to smart beds in hospitals. Software programs that your IT department didn’t approve or audit for proper security measures can also generate unwanted traffic. For example, HVAC systems are digital and connect to your network; this is precisely how Target got hacked a few years ago.
Cryptography and encryption is another method that reduces the possibility of inappropriate access. Encryption protects the data at various levels from unauthorized access – be it one file or an entire database. Although encryption technology is not impenetrable, it’s a major obstacle for hackers and insiders alike. The key advantage is that in the event that data is accessed inappropriately or stolen, it will be unreadable and nearly useless if it’s encrypted.
If you aren’t familiar with this technology, you’ll want to know that encryption—based on the ancient science of cryptography—uses a combination of computers and algorithms to turn plain text into an unreadable code. Modern cryptography is the practice of converting a readable message into an unintelligible one with the ability to convert the message back into a readable format.
Step 4: Detection
Installing auditing and monitoring tools for your IT environment allows your organization to be vigilant of insider threats. Tools for monitoring help track activities around critical assets, such as unauthorized system changes, user behavior, file integrity, file access, and network traffic.
Detection can happen through processes – such as change management process – or through establishing audit policies for event logging and monitoring those logged events. Due to the number of systems components involved and volumes of logs generated such components, automation is often required in a form of SIEM (Security Information and Event Management) systems which parse and correlate the large volumes of data and generate alerts only for the interesting events that need further review. While SIEM system can generate false positive alerts, their primary benefit is the ability to reduce and normalize the log data and enable personnel to gain visibility and make sense of the environment security status at any given point of time and detect security events as they happen therefore reduce the response time and potential impact of security incidents.
- Regardless of what tools or methods you use, be sure to assign someone the responsibility of overseeing and monitoring these tools; there are certain security activities you can’t automate, and you always want to have an experienced staff member monitoring your issue detection methods in case you need to initiate incident response.
Step 5: Incident Response
For the fourth phase of prevention and containment, there is the incident response. Here you and your organization will incorporate capabilities that will allow you to appropriately respond to a legitimate insider threat in the event of an attack on your data. Ensure abilities to collect evidence of the security events, their associated activities, and impact.
You can monitor network traffic and activities using tools (like SIEM, intrusion detection, file monitoring, and log management) to check what’s happening across your entire IT environment. When you set up your tools, you also set up rules for alerts for what’s normal for your organization. When you see abnormal activity, your time to the reaction can make a huge difference as to how far the issue goes. If the breach is successful—i.e., you see an insider access files they should not have access to—you can immediately change settings so they can’t take further actions. Again, ensure there is someone who’s responsible and accountable for monitoring abnormal events and kicking off your approved procedures to contain security events.
Consultancy firm McKinsey points out that “Incident response documentation is often ‘out of date’ and ‘generic’ and ‘not useful for guiding specific activities during a crisis.’ This means you need to start with the basics, implementing a plan and mapping out the right structure and laying out employee roles.”
Strive for continuous improvement and be sure to test out your incident response methodology.
You should create KPIs for security issue triage and test your plan regularly and at least annually. Running tests will ensure that your plan stays up to date and will reveal any gaps that need to be remedied.
Insider Threat Solution Step #3: Implement Operations Activities & Controls Efficiency Audits
Your last step in mitigating threats from insides is determining how well your controls are working. This solution focuses on the processes and policies your organization needs to develop and enforce to prevent insider threats from escalating.
Examples of policies include Information Classification and Management Policy, Risk Management Policy, and Assessment and Authorization Policy, Assets Management Policy, Personnel Security Policy and Internal Control Policy. Consider that cybercriminals can and will outsmart you or outspend you if you’re only using technology and tools for protection. As individuals join the organization, they should receive a copy of organizational policies that lay out what is expected of them and the consequences of violations. As employees leave your organization, their access should immediately be revoked to all systems and data. This is a commonly missed step in the process of data security!
Preventative activities focused on awareness help drive a culture of compliance and security. We recommend being particularly clear on policies regarding the following:
- Acceptable use and disclosure of the organization’s systems, information, and resources
- The use of privileged or administrator accounts
- Acceptable use policies for any device that connects to your network
Remember, training is an ongoing process; it’s a continuous cycle where your business works to improve its processes, policies and procedures, which includes training. Your goal should be to continuously improve your security efforts. You’ll need to develop KPIs and check them regularly during your efficiency audits. The idea is to hold you and your staff accountable and responsible for how well you’re following your plan and make technology, process, and policy updates accordingly. KPIs include:
- How many security incidents you had in one year
- The number of incidents that were submitted by employees
- Employee scores on the security training
The bottom line is insider threat pose increasingly high risks to organizations across all sectors, and all too often we’re focused on external threats instead of what’s happening within our own organizations.
By following our solutions and tips, you will be able to mitigate and contain insider attacks more efficiently. LightEdge helps businesses identify and remediate security issues, including insider threats from authorized users. Secure your network and data 24/7 with LightEdge’s proven technology, people, and processes. Contact us today for a free security evaluation to see how you can strengthen your security posture.