Insider Threats and Defense Strategies
Insider threats are among the most dangerous cyberthreats out there. Yet, organizations of all sizes seem to be either reluctant or negligent when it comes to fighting them. Over 50 percent of organizations don’t have an Insider Risk Response Plan and 40 percent don’t assess how effectively their technologies mitigate insider threats.1 Even though 59 percent of IT security leaders expect insider risks to increase in the next two years, very little is being done to prevent them from causing serious security incidents.
With the threat growing bigger by the minute, disaster could strike at any time. If you still aren’t worried, just remember that the average time to identify and contain a data breach is 280 days. This should give you an idea of the possible damage a single data breach could cause to your business.
This brief article will attempt to throw some light on the types of insider threats you must detect and mitigate, the damage they could cause, the user attributes that increase these risks, and the security controls you should implement to prevent and reduce these threats.
Understanding Insider Threats
Simply put, an employee or contractor who wittingly or unwittingly uses his/her authorized access to cause harm to your business is considered an insider threat. The Ponemon Institute’s Global Cost of Insider Threats Report 2020 lists three types of insider threats:
- A careless or negligent employee or contractor who unwittingly lets a hacker access your business’ network. Over 60 percent of incidents in 2020 were related to negligence.
- A criminal or malicious insider who abuses his or her privileged access to your business’ network to either steal or exfiltrate sensitive data for financial gain or plain old revenge. Criminal insiders were involved in 23 percent of breaches in 2020.
- A credential thief who poses as an employee or a contractor to gain access to sensitive data and then compromise the data for financial gain. Credential theft led to 14 percent of breaches in 2020.
The Serious Damage Insider Threats Can Cause
Even a single security breach caused by an insider threat can result in serious damage to your business in the following ways:
- Theft of sensitive data: Valuable data such as customer information or trade secrets could be exposed following a breach — an ordeal Marriott International survived in early 2020. Hackers abused a third-party application used by Marriott for providing guest services, to gain access to 5.2 million records of Marriott guests.
- Induced downtime: The downtime following a breach impacts your business in more ways than one. As mentioned earlier, it can take a long time for you to ascertain the details of a breach and then control the damage. This period can drain your business resources like it did to a company in the UK who had to eventually shut shop after a disgruntled employee deleted 5,000 documents from its Dropbox account.
- Destruction of property: A malicious insider could cause damage to physical or digital equipment, systems or applications, or even information assets. A former Cisco employee gained unauthorized access to the company’s cloud infrastructure and deleted 456 virtual machines, jeopardizing the access of 16,000 users of Cisco WebEx. The tech major had to shell out $2.4 million to fix the damage and pay restitution to the affected users.
- Damage to reputation: This is a guaranteed consequence of a security breach. Should you suffer a breach, investors, partners and clients may immediately lose confidence in your business’ ability to protect personal information, trade secrets or other sensitive data.
User Attributes That Aggravate Insider Threats
The likelihood of a security breach caused by an insider could be significantly increased due to:
- Excessive access provided to several users in the form of unnecessary permissions or admin rights
- Haphazard allocation of rights to install or delete hardware, software and users
- Usage of weak login credentials and bad password hygiene practices by the users
- Users that act as a single point of failure since no one keeps their access under check (a phenomenon common with the CEO fraud)
Building a Resilient Defense
As a business, you can undertake a list of security measures to build a resilient defense against insider threats as part of a proactive defense strategy rather than a reactive one. Some of the immediate measures you can take include:
- Assessment and audit of all systems: Direct your IT team to assess and audit every system, data asset and user in order to identify insider threats and document it thoroughly for further action.
- Restriction of access and permission controls: Not every employee needs to have access to every piece of data. You must review and limit unnecessary user access privileges, permissions and rights.
- Mandatory security awareness training for all users: This measure is non-negotiable. Every user on your network must be trained thoroughly on cyberthreats, especially insider threats, and on how to spot early warning signs exhibited by potential insider threats such as:
- Downloading or accessing substantial amounts of data
- Accessing sensitive data not associated with the employee’s job function or unique behavioral profile
- Raising multiple requests for access to resources not associated with the employee’s job function
- Attempting to bypass security controls and safeguards
- Violating corporate policies repeatedly
- Staying in office during off-hours unnecessarily
- Enforcement of strict password policies and procedures: You must repeatedly encourage all users to follow strict password guidelines and ensure optimal password hygiene.
- Enhancement of user authentication: Deploy enhanced user authentication methods, such as two-factor authentication (2FA) and multi-factor authentication (MFA), to ensure only the right users access the right data securely.
- Determining ‘baseline’ user behavior: Devise and implement a policy to determine ‘baseline’ user behavior related to access and activity, either based on the job function or the user. Do not be counted among the 56 percent of security teams that lack historical context into user behavior.
- Ongoing monitoring to detect anomalies: Put in place a strategy and measures that will identify and detect abnormal/anomalous behaviors or actions based on ‘baseline’ behaviors and parameters.
Detecting insider threats and building a robust defense strategy against them can be a tough task for most businesses, irrespective of size. Unfortunately, the longer you wait, the greater the chance of a security lapse costing your business its entire future.
However, you certainly shouldn’t hesitate to ask for help. The right MSP partner can help you assess your current security posture, determine potential insider threats to your business, fortify your cybersecurity infrastructure and secure your business-critical data.
It may seem like a tedious process, but that’s why we’re here to take all the hassle way and ensure your peace of mind remains intact throughout this fight. All you have to do is shoot us an email and we’ll take it from there.
Article curated and used by permission.
- Ponemon Data Exposure Report 2021 by Code42
- Ponemon Cost of a Data Breach 2020 Report 2020