Insider Threat Awareness: Avoiding Internal Security Breaches
How to prepare for, prevent and detect a cybersecurity attack from within your organization.
"Insider Threat," a potential cybersecurity breach from within your organization, has been a topic of intrigue for cybersecurity professionals for many years and continues to be a significant concern today. Not only do we find ourselves having to defend against internet-borne attacks from cybercriminals, hackers, and many other threat actors. We must keep a watchful eye within our office locations, control rooms, datacenters, and many other areas under our protection - on the lookout for the Insider Threat.
You might think insider threats are only a problem in large corporations, but the truth is that they are a massive issue for small businesses too.
An insider has access to sensitive information because they are an employee, contractor, or partner. They could potentially use that information to cause harm to the company or its customers.
The intelligence community uses the term "Insider Threat" to describe employees who leak or share information with unauthorized parties. Insider refers to someone working in your organization who may pose a risk to you if they make a mistake with data handling procedures.
Insiders are not limited to people who work in IT. They could include administrators, engineers, developers, project managers, salespeople, customer service representatives, or finance...anyone who has access to information that is not for public consumption. Whether they possess privileged access credentials or not, these individuals have access that allows them to view confidential files and systems.
It may be that they have too many permissions, usually acquired over a lengthy period of employment, where they've had multiple roles, and have kept permissions as they've moved around - this is known as "Privilege Creep." Having access to data that isn't required for their current role puts a person in a prime position to steal intellectual property, a trade secret, proprietary designs or financial records.
The insider threat exists for multiple reasons. Those with malicious intent are obviously a real problem for companies, but there are also implications for employees who unintentionally leak information.
Read also: Security Pitfalls IT Often Overlooks
Types of Insider Threat
Your trusted employees can be unaware of how their carelessness or negligent actions can affect the company or its employees. For example, they might not know that clicking on an innocent-looking link could lead to malware entering the network, or sharing sensitive hard copies of documents with other colleagues who don't hold the appropriate access levels could lead to a breach. Or they might think that it's no big deal to share it with others because the document wasn't sensitive.
People often don't consider that data aggregation can add up to a considerable amount of information, making it a valuable commodity to a competitor. If such data becomes compromised, it can cause serious harm to the company.
There is an essential distinction between insider threats; one is unintentional, and the other is a malicious threat actor. Malicious insiders may include disgruntled employees or staff working their notice period who intentionally take company data with them.
Or it could be an engineer who has misconfigured a system setting that exposes your internal environment to the internet, now visible on Shodan. Or the developer who hasn't considered security from the outset and has left a backdoor in the application code discovered by a malicious insider threat. Access to any sensitive information (i.e., corporate documents, financial records, personal information about customers and employees), regardless of the source, is currency to a malicious insider.Read Also: Cybersecurity Concerns Rise for Remote Work
Insider Threat Statistics
According to an independent study conducted by the Ponemon Institute, the average global cost of Insider Threats rose by 31% in two years to $11.45 million, and the frequency of incidents spiked by 47% in the same period.
Here are some highlights from the report:
The highest overall cost center for organizations is containment, at an average of $211,533 per company annually.
The fastest-growing cost center is investigations, costing organizations a whopping 86% more than they did only three years ago.
The longer an incident lingers, the costlier it gets. The average incident takes 77 days to contain. Incidents that took more than 90 days to contain cost organizations an average of $13.71 million on an annualized basis.
Insider Threat Indicators
Downloading or accessing substantial amounts of data.
Accessing sensitive data not associated with their job function.
Accessing data that is outside of their unique behavioral profile.
Multiple requests for access to resources not related to their job function.
Using unauthorized storage devices (e.g., USB drives).
What Should You Do If You Suspect Potential Insider Threat?
There are various ways to identify unusual behavior among your employees, such as suspicious acts or behaviors or signs of manipulation. You can also determine whether the behavior is consistent with the employee's work task and whether it is normal or deviated from their normal user behavior. Regardless of the circumstances, report it immediately!
Insider Threat Detection
Identify patterns of activity: Lookout for abnormal communication patterns, especially those involving large volumes of traffic. For example, someone sending hundreds of emails could indicate something fishy going on. Inform your Data Loss Prevention (DLP) team to place a watch on any suspicious activity.
Prevent an insider from being a threat: You need to identify signs of abnormal behavior. Identify gaps in your security, the gap between what is required and what exists at your organization. In other words, you need to know whether your environment is secure enough to protect confidential data from malicious actors and those unintentional mistakes. If not already in place, implement additional security measures such as File Access Management, Just in Time Access (JIT), Behavioral Analytics, Email security for outbound mail, protecting against sending to the wrong recipient. Protect users from malicious inbound emails that contain suspicious links.
Monitor behavior of users: To detect insider threats, you need to keep a close eye on the people that enter your physical and network perimeter. For example, you can observe that someone is trying to access sensitive data they have no legitimate business need or permission. You should also be cautious if someone externalizes information without authorization, such as a disgruntled employee attempting to disclose information about a company. Monitor for any suspicious attempts to plug an unauthorized or rogue device into a network point - consider Network Access Control (NAC)Read also: 5 Things to Know about BYOD Security
Countermeasures and Insider Threat Solutions
According to Proofpoint, the top ways to stop insider threats are:
- Detection of Insider Threats - Uncover risky user activity by identifying anomalous behavior.
- Investigate Incidents - Investigate suspicious user activity in minutes—not days.
- Prevent Incidents - Reduce risk with real-time user notifications and blocking.
- Protect User Privacy - Anonymize user data to protect employee and contractor privacy and meet regulations.
- Satisfy Compliance - Meet key compliance requirements regarding insider threats in a streamlined manner.
- Integrate Tools - Integrate insider threat management and detection with SIEMs and other security tools for greater insight.
This article discussed the issue of what to do if you suspect an insider threat. You can detect signs of unusual behavior to prevent an insider who is trying to access sensitive information from becoming a threat. The gaps in your security are waiting to be discovered; make no mistake, an insider threat will find them, either accidentally or intentionally.
There are many different insider threats, and the malicious insider may be the hardest to detect. You can implement specific security measures to help predict and prevent insider threats. But at the end of the day, there is no way to guarantee that you will always prevent malicious insiders from taking advantage of a security gap, vulnerability, or a member of your unsuspecting workforce.