David Higgins, CyberArk offers his tips and recommendations to mitigate insider threat this Halloween…
As Halloween looms, it would certainly feel like the right time to think of our favourite horror stories. From an enterprise IT perspective, there are too many to keep up with these days. From the constant threat of cyber attacks from external hackers, to the rise of new forms of cyber-crime such as cryptojacking – the threats are constant, rapidly evolving and real.
But, often the most terrifying of all threats to a company’s IT network, is that posed by the insider. According to a Ponemon report, from the Ponemon Institute, over the past two years the insider threat has escalated for businesses, with the average number of incidents involving employee or contractor negligence having increased by 26 percent, and by 53 percent for malicious and criminal insiders.
Our own research at CyberArk also shed light on how IT security decision makers aren’t exempt from putting their organisations at risk. A startling 85% worried that they might personally introduce a cybersecurity incident into their company.
So, how can businesses across all sectors, take steps to avoid an insider threat nightmare?
Dealing with human error
The most common problems impacting many businesses include system misconfiguration, poor patch management, using default settings and weak passwords, lost devices, and sending sensitive data to the wrong e-mail address by mistake. Some of these problems are the result of the individual’s brief lapse of concertation or a slip of the mouse. It could be something as simple as clicking “reply all” on an e-mail, for example. Some, however, are the result of poor policy or poor management. System configurations and patch management should be matters of organisational policy and should be routinely assessed.
We will never get rid of human error – mistakes happen, however with 64% of organisations finding that negligence is the root of most incidents, there is vast room for improvement and a definite need for organisational change. With the damage caused often amplified due to excessive permissions, organisations need to get a firmer understanding of their privileged accounts and remove access where it’s unnecessary. For example, any employee with unconstrained access could, accidentally or maliciously, become a threatening insider.
The road to weak security isn’t always filled with malicious intent
Most employees are hard-working, and eager to please in their roles. In fact, many go out of their way to do their jobs efficiently – but therein can lie a significant issue. It is not uncommon for employees to install unauthorised wireless access points to make it easier to connect to the network throughout the office. These points can certainly improve productivity and worker satisfaction but, unknown and unmanaged by administrators, they also create security black holes that can be used by attackers to gain an entry point into the network. And it’s not just gaining access, but how it’s done. Despite the fact BYOD has now been around for years, many organisations are still grappling to put robust policies and procedures in place to protect themselves.
Workers often see security as a roadblock rather than an enabler, that is seamlessly embedded into how they operate. When this happens, they will find quick ways around policy in order to do their jobs more easily and thus unknowingly become ‘insider threats.’
The unknowing accomplice
Every Halloween villain needs an accomplice. Honest employees can also be targeted by malicious outsiders through the use of social engineering techniques. E-mail phishing (and spear-phishing to target high-net worth individuals) is still one of the most common types of social engineering, with attackers becoming increasingly sophisticated in their approaches, unwittingly drawing innocent employees in to opening up their organisations to attack.
Insider threats do not stop with your employees. Contractors, business partners and links across the supply chain – both upstream and down – all pose fresh threats that can be used to compromise your network from the inside. One of the key threats we see frequently is attackers actively targeting highly permissioned users, looking for those individuals or accounts which can open the doors to the rest of the organisation and the valuable data held by them. With GDPR well into force and effect, it’s imperative that organisations are totally aligned on data protection and the importance of strong cybersecurity practices across the board.
The force for good against insider threat – training
The first line of defence against the well-intentioned insider must be in awareness and training. All employees should be educated to understand the risks, organisational policies and the reasons why they are in place. With regulation such as GDPR firmly in force, and customers increasingly aware of the threat posed by cyber attackers, organisations can simply no longer afford to keep cyber security policies operating in siloes.
At the same time, business leaders need to engage with their IT security teams to ensure that they have the correct measures in place to protect themselves, shut down attacks and the ability to report back on any attempted attacks, and the resulting implications for customers or sensitive business data.
It’s no longer enough to do one or the other. The only way to defend against both accidental and malicious insiders is to address the nature of the threat, not the individual. This starts by locking down unnecessary, unconstrained access for users, which if left unchecked serves to amplify the insider threat. There are a host of reasons behind insider threats, be they accidental or malicious, and organisations must ensure they have the right policies in place to protect themselves as much as possible. Avoiding a hacking nightmare this Halloween must come from educating employees on the plethora of cyber risks out there today, and their role to play in organisational defence.
EMEA Technical Director
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.