While cybercrime continues to escalate, many of today’s most damaging security threats are not the result of the traditional perception of malicious outsiders breaching a network to deliver malware. While that risk is real, a growing number of organizations are concerned about security risks resulting from insiders – individuals known to the organization – who have access to sensitive data and systems. This insider risk challenge is highlighted in a recent report on Insider Threats.
Insiders who introduce risk into an organization can generally be broken down into three broad categories:
Malicious insiders: These are users who willfully cause harm through such activities as fraud, data theft, IP theft, and sabotage. Malicious insiders can include disgruntled employees with a grudge, an individual with a political agenda, a compromised user being leveraged to commit cyberespionage or cyberterrorism on behalf of a competitor, political group, or nation state, or simply someone who is behaving badly for monetary gain. When queried, 60% of companies indicated that they were concerned about this threat.
Negligent users: 65% of companies expressed concerns about this insider risk. This is an individual who, while not malicious, is still willfully side-stepping policy for the sake of productivity. These activities can range from creating a secret backdoor into the network so they can do things like troubleshoot systems or work remotely, to implementing an easy-to-compromise password system for networked devices, to failing to check configurations for errors that then get duplicated to other devices.
The risk from these users is high since they almost always have privileged access to systems and devices, such as databases and file servers. While they may not intend to harm the organization, their negligence can have a significant impact on the organization. Improperly secured systems, for example, are much more likely to be discovered and compromised by attackers and malware. And improperly configured devices on their own can cause critical systems to fail.
Careless users: These individuals have simply made a careless mistake that leads to an inadvertent system failure, data breach, or accidental breach. This can be something as simple as clicking on a malicious attachment inside a phishing email or browsing malicious websites, to forgetting to secure a public-facing router or server. Like negligent users, the more privilege a user has the bigger the impact that can result from their carelessness. And because this behavior is entirely inadvertent, it is much more difficult to prevent or prepare for. Which is why 71% of organizations worry about this challenge.
People Posing the Most Risk
As explained previously, privilege is directly related to the potential impact of an insider threat. At the top of the list are privileged IT users and administrators. Not only do they have greater access to the inner workings of systems and devices, their behaviors can result in far more damage than that caused by others. However, even a regular employee can have a significant impact on a network, as can contractors, service providers, and privileged executives.
Many of today’s modern attacks are designed to escalate privilege, so even a temporary worker with severely restricted access can still create serious havoc inside an organization. That threat can be compounded when more than one risk is present, such as a user who introduces malware into a network that also has implemented weak passwords or users misconfigured devices.
Resources Most Likely to be Targeted
In addition to the general mayhem that can be caused by an insider, there are specific systems that are the most likely to be targeted. Because the majority of attackers are financially motivated, financial systems are at the top of the list of resources at risk. However, for industrial espionage attacks, research and development resources and customer support systems are top targets.
The one thing almost all attacks have in common, however, is the targeting of data – whether to steal it or destroy it. And the king of data is customer information. User PII (personally identifiable information) that can be extracted and sold on the black market can generate significant financial rewards for an inside attacker. Close seconds are intellectual property that can be sold to competitors or held for ransom and financial data that can be used for such things as insider trading.
Insider Threats on the Rise
Concerns about insider threats isn’t just a fire drill. Over two-thirds of organizations believe that insider attacks have become more prevalent over the past year, with nearly half of companies reporting having experienced between one and five critical cyber incidents caused by an insider in the past twelve months.
The reasons range from a lack of employee awareness and training to insufficient data protections in place. One of the most concerning trends, however, is the amount of data that now moves outside the traditional data center perimeter due to the growth of mobile devices, an increased reliance on web applications, and the rapid transfer of data to the cloud. And given that a well-meaning employee with a credit card can subscribe to a cloud service that IT isn’t even aware of and then store data there, something known as shadow IT, the potential for the negligent or even malicious compromise of data continues to escalate.
The biggest challenge with these threats is that they are so difficult to identify. These insiders already have credentialed access to the network and services, so few if any alerts are triggered when they begin to behave badly. And given the increased amount of data already leaving the traditional network perimeter, it is easier to hide data theft than ever before.
10 Things Your Organization Can Do
There is no magic pill to make this challenge go away. It requires planning, implementing and repurposing technologies, and gaining a holistic view across your network – at a time when many organizations are suffering from visibility challenges resulting from digital transformation and vendor sprawl. Here are 10 strategies that can be implemented to minimize the risk of insider threats:
- Train employees to see and report suspicious activity. In addition, run background checks on users being given privileged access to digital resources.
- Deploy tools that can monitor user behavior and activities – including policy violation and leverage machine learning to detect unusual behavior.
- Segment the network to limit activity to specific network regions. For more sensitive operations, a zero trust model can be especially effective.
- Implement configuration management tools that can quickly assess and identify improperly configured device.
- Monitor data access and file transfers, and invest in file tracking technologies.
- Implement a data loss prevention (DLP) process and related technologies.
- Strengthen identity and access management (IAM), including the use of multi-factor authentication.
- Encrypt data in motion, in use, and at rest. Invest in technologies that can inspect encrypted data at business speeds.
- Use a SIEM tool to correlate threat intelligence gathered from across the network to identify those needle in a haystack events that are impossible to detect using manual correlation.
- Use deception technologies and honeypots to detect activity that strays from assigned tasks.
Addressing Insider Threats Requires Proactive Efforts Attackers continue to apply pressure across the entire attack surface looking for a lapse in protection of vulnerabilities to exploit. By combining deterrence and detection with automation, however, organizations can take a much more proactive approach to detecting and mitigating insider threats – while keeping critical security personnel focused on higher order tasks such as strategic planning and threat analysis.