Long before organizations went digital, attacks against data and systems were carried out mainly by insiders — a current or ex-employee, a contractor or business partner. Eventually the workplace became populated with computers and mobile devices, with most of these devices connected to internal networks and the internet.
Since then, IT departments have spent a lot of money and time trying to shield assets from malware and external attackers, overlooking a significant hazard that’s been there the whole time: the insider threat.
What is the “insider threat?”
From the perspective of IT, an insider threat is a person with authorized access to an organization’s network, systems and/or data who intentionally or carelessly exploits that access, resulting in theft, deletion of data, destruction of systems and so on.
According to the “2016 Cost of Insider Threats” report (Dtex Systems/Ponemon), the average cost per incident of damage from a negligent employee or contractor is $206,933. The fallout from malicious insiders averages $347,130, and theft of credentials pushes the average cost up to $493,093. The report notes that negligence accounts for most incidents – 598 of 874 incidents reported.
Insider security incidents cause loss of proprietary and confidential information and can damage an organization’s reputation, but most cases can be prevented. Let’s look at both no-tech and high-tech solutions.
So, where do you start? You can begin preventing insider threat issues by implementing these measures:
- Create a data use policy
- Educate employees
- Review user privileges periodically
- Establish a culture of accountability with managers
A data use policy, usually part of an acceptable use policy (AUP), spells out what employees may and may not do with information owned by or entrusted to an organization, referring to security, privacy and proper management. Employees must be presented with the data use policy and educated about the purpose of data protection and privacy, and the consequences of breaking the rules.
Regarding user privileges, Mike Chapple, senior IT director at the University of Notre Dame, says that “One of the most important – and most often overlooked – controls is conducting frequent user account reviews. These reviews should watch for unnecessary accounts that were not disabled and for permissions assigned to accounts that are no longer necessary. Privilege creep is one of the major issues leading to insider attacks.”
According to Jeff Jenkins, vice president and chief internet security officer for First Advantage, another effective no-tech solution is to establish a culture of accountability with managers through acknowledgements or attestations, so they understand they are responsible for the actions of their staff.
“From a more positive perspective, it is also useful to engage personnel managers to aid in the training, monitoring and enforcing of desirable behaviors from their employees,” Jenkins said.
If your organization has the budget to invest in a solution to protect against insider threats, some of the more effective ones are:
- Data loss prevention (DLP)
- Identity and access management (IAM)
- User activity monitoring (UAM)
- User entity and behavior analytics (UEBA)
DLP, according to Chapple, “monitors the network for signs of unauthorized exfiltration of sensitive information. DLP can catch data that matches obvious patterns, such as credit card numbers or Social Security numbers, and it can also watch for files that match the signatures of sensitive intellectual property.”
IT administrators use IAM to control user access to secure systems, applications and documents, usually through the use of single sign-on (SSO). With SSO, a user can log in one and be granted access to various applications on a network.
UAM monitors an organization’s IT environment and collects real-time user activity data, such as emails and internet uploads/downloads. To be effective, a UAM solution usually works with some type of security information and event management system (SIEM) to send alerts to administrators when something suspicious arises.
A UEBA solution crawls through large amounts of data gathered from IT logs and data from network applications and endpoints to find patterns of abnormal behavior, which may point to an insider threat. This type of solution is relatively expensive and requires some expertise on behalf of IT staff who must decipher alerts and reports.
Jenkins adds, “Although UAM, IAM and UEBA are certainly the more prevalent technologies that security leaders are using or considering for insider threat detection, it’s hard to ignore some of the basic technologies, though, such as network segmentation, DLP and endpoint restrictions (limiting admin rights, prohibiting USB devices, etc.) to help combat employees from misusing systems or data. Organizations that are serious about preventing insider threats have to give consideration to all forms of security controls, preventative and detective, even if older and more restrictive measures like endpoint restrictions aren’t considered popular by employees.”
Jenkins also warns against infringing on an employee’s privacy rights, especially in countries outside of the U.S.: “There can be some challenges regarding deploying controls to limit insider threats, namely for global companies doing business in EMEA or APAC countries,” says Jenkins. “Differences in the way countries in those areas perceive security, or a company’s right to monitor employee computer activity can cause difficulties ranging from employees misunderstanding their security responsibilities to the inability to deploy some of the recommended controls. Organizations should explore these challenges well in advance of trying to roll out security measures in international locations.”
The Raven Group is a Corporate Counterintelligence consulting firm that helps companies protect their trade secrets, intellectual property (IP), employees, and reputation. Raven’s consultants have spent a lifetime protecting our nation from threats of every kind and are second to none. Let us bring that expertise to your company.