Insider threats and the danger they pose are both extremely publicized and well covered topics. Apart from the famous NSA leak by Edward Snowden, there are also strong rumors that several high profile data breaches and leaks of the past couple of years have involved malicious insiders (Ashley Madison and Mossack Fonseca, to name a few cases).
Logic dictates that all of this awareness should translate into actions. And while cyber security software companies keep creating new solutions and cyber security providers keep developing best practices to effectively combat such threats, companies are not in a hurry to adopt these measures. In fact, the reality is the opposite – most companies regardless of the size heavily prioritize threats of network security, while cyber insider threat minimization measures are being put on the backburner (best case, worst case – they aren’t even on the horizon).
Insider threats are more frequent then you think
The fact is, while companies are well aware of the danger, the threat itself is highly underestimated. There are a lot of reports of high-profile hacks, breaches and DDoS attacks on large businesses, conducted by malicious outsiders. At the same time, breaches from inside are reported mostly by government organizations, as well as healthcare and financial institutions.
This leads many private companies, small ones in particular, to falsely think that they are not the target. However, in reality this is not the case. NetDiligence Cyber Claims study found that insiders have been involved in the 32% of the cyber security incidents reported last year.
So, why incidents involving malicious insiders get underreported? There are several reasons behind that:
- Damage mitigation. The fact that your company is vulnerable can be a huge blow to its reputation. Matters are worse still when the source of vulnerability is your own employees. Such news may prompt clients to find another offer and investors to pull out. It’s much more beneficial to not say anything at all whenever possible, or at least stay vague on details.
- They are very hard to detect. More often than not breaches go unreported because companies themselves don’t know about them. Malicious insiders often operate for years, slowly stealing sensitive data or using it for their own gain, and when the breach finally gets discovered, it can take a lot of time to assess the actual extend of what has been compromised. In fact, many breaches reported today are actually happened several years ago and only just now have been discovered.
- They are very hard to prove. Even if the breach have been detected, it can be very hard to find the perpetrators. Often results of investigation turn up inconclusive, and even in cases when the insider have been found, proving their guilt in court often proves problematic. Thus, there is a little benefit in reporting the crime, when perpetrator cannot be punished or sued for damages.
Of course, reasons mentioned above are the most relevant for companies who didn’t put the necessary measures to detect and combat insider threats in place, since they are the ones who most often becomes the victim of such attacks.
Danger of inadvertent insiders
However, malicious insiders are not the only type of insider threat out there. According to Forcepoint 2016 global threat report, inadvertent errors or negligence by employees constituted almost 15% of all data breaches last year.
Often unaware of the basic security practices, employees tend to accidentally leak sensitive data, damage data or make inadvertent adverse changes to critical systems. What’s even more important, is that employees often themselves become the proxy through which either malicious insider or outsider can gain access to the system. By falling for phishing, spam e-mails, and other social engineering techniques, they often themselves give their credentials to perpetrators.
Challenges of dealing with insider threats
Dealing with inadvertent and malicious insiders is similarly hard, as it poses similar challenges. It requires a unique set of tools and practices to be implemented, and can only be done when company fully realizes and acknowledges the danger of insider threats in cyber security and how to combat them.
All of this is due to the fact that insiders have legitimate access to sensitive data, with which they work on a daily basis. Therefore, it is very hard to distinguish any malicious actions on their part from the usual everyday routine. Whether your system administrator does regular backup or copies data to an external storage in order to steal it and sell it – there is almost no way for you to know.
Moreover, it is also almost impossible to distinguish between deliberate malicious actions and inadvertent mistakes. This is not only allows malicious insiders to simply say that they made a mistake and get away with murder, but also inadvertent insiders may be prosecuted for malicious actions, while in reality data breach happened because of negligence, or even honest mistake.
Myths about insider threat protection
The only way to solve the issue of insider threats in cyber security is to incorporate proper protection measures that will give your company an ability to not only detect insider threats and investigate them, but also prevent incidents in the future. However, as mentioned earlier, not a lot of companies go for it.
According to 2016 Insider threat spotlight report, 74% of organizations that participated in questionnaire are vulnerable to insider threats. One of the reasons for their lack of proper protection is a set of pre-conceived notions about insider threat mitigation that many of these companies hold, most of which are decidedly false.
The following myth are very widespread when it comes to insider threat prevention and protection:
- My company is not a target. We already touched on this above. While there are not as many reports of private commercial companies being hit by insiders it doesn’t mean that this doesn’t happen. In fact, the opposite is true – every company is a target, regardless of the size or the industry it operates in.
- It is not worth the money. Many companies feel that investing in security is not that important in terms of the bottom line. Security is usually viewed as a sinkhole where money disappear without any returns. Therefore, costs are always cut whenever is possible, and insider threat protection measures are usually go under the knife one of the firsts. However, 2016 Insider threat spotlight report shows that 75% of companies on average spend $500 000 or more to mitigate incidents involving insider threats. It is widely known that insider attacks are the costliest ones to remediate, thus it is very beneficial in the long run to invest some money in insider threat protection.
- It is expensive. A lot of smaller and medium sized companies don’t implement any insider threat protection measures because they consider them too expensive to afford. It is true that there are a lot of solutions out there, in user action monitoring department particularly, that are targeting large enterprises and are just too expensive for small companies to deploy. But not everybody knows, that there are a number of very affordable alternatives available out there.
- Background checks are enough. Many companies think that basic measures, such as physically securing sever location and conducting background checks are enough to protect from insider threats. While both of these measures are necessary, they don’t exactly provide a reliably protection. Sometimes, people get recruited by competitive firm, or they simply see an opportunity and decide to take it, or even commit an honest mistake. You need a way to detect and investigate such incidents and only the full complex of insider threat protection measures gives you that.
- It too complex. Many companies think that any security procedures and security solutions are too complex and that it will either take a lot of money and a lot of time to educate personnel, or it will disrupt the regular workflow. In reality, there are insider threat management software out there that are fairly simple to use and can be used without any training. At the same time, educating your employees on best security practices will save you money in the long run, as it allows to prevent mistakes and negligence and makes your company much less susceptible to attacks from both inside and outside.
8 insider threat protection measures that you should implement
Establishing reliable insider threat protection is very beneficial to any company, and various pre-conceived notions that you may have about it need to pave way for logic and cold thinking. The question then lies – what exactly to do? How to minimize insider threats in cyber security?
Next we will list 8 most important measures that you should take in order to establish effective insider threat protection:
- Use conventional measures
Background check is probably the most basic insider threat protection measure that your company can employ. They are widely used in many industries that routinely deal with critical private information, such as finances and healthcare, and also adopted by many large companies that operate in other fields. However, you don’t need to be an international giant to be able to conduct a background check on a person. Simply googling their name, checking their social media profile and calling their previous employer is enough to make sure that they are a reliable employee. Background checks are not a guaranteed protection from all insider threats and shouldn’t be viewed as such. But they allow you to early single out and keep away people with that will most likely pose a problem further down the line.
Another very basic measure of preventing threats to data security is protecting the physical location of your data. Now, if all your servers are in some datacenter, then there is nothing to worry about – they will do it for you. But if your company owns its own servers, you should really consider hiring a guard, or at least getting a reliable digital lock in place in order to make sure that no unauthorized people have physical access to your servers.
Both conducting background checks and ensuring physical server security are very basic measures that are probably employed by most companies out there already, but they are there to filter and deter the most obvious malicious insiders, thus they are well worth the time and effort to put in place.
- Keep an eye on employee behavior
It is important to note that people are very rarely applying for a job with malicious intentions in mind (unless, of course, they are corporate spies). More often than not, they get the idea to conduct malicious actions while already working.
There are various signs and changes in their behavior that can give away their intentions. For example, if they accumulated a lot of debt, it may give them idea to go for your sensitive data to make a quick buck. On the other hand, if they suddenly got rid of their debt without a reason, there is a chance that they already acquired a lot of money by selling your data to the competition. If a person wants to use your sensitive data to start a competing business (for example, by stealing your clients), more often than not they will brag about it to colleagues. When person starts travelling a lot more, or they start going to work at odd hours, or sitting at work until late – all of these are signs of a potential malicious actions on their part. You should also note whether the person is happy or note. Sometimes, disgruntled employees conduct malicious actions to get back at the company for perceived injustice.
All in all, you should definitely keep an eye on behavior of your employees, because it is something that often gives away their malicious intentions. If you notice any major changes without a good reason, it’s a good opportunity to check their work more extensively and investigate your company for any potential data breaches.
- Protect and control access to sensitive data
Access control is a great way to make sure that only people with proper authorization can access your sensitive data. While in and of itself it does not guarantee a full protection from insider threats (there is nothing stopping privileged users from abusing their access), it allows you to know who accessed sensitive data at any particular point in time, which is a great asset when it comes to investigating incidents.
Sadly, many access management solutions can be too expensive for smaller companies out there. Moreover, they can prove pretty complicated to deploy and may require special training to use, which deters many companies from using them. These problems can be solved by looking for cheaper alternatives on the market or employing an affordable user monitoring solution with some access control functionality, such as Ekran System.
Bottom line, while access control solutions are not a panacea, they will greatly strengthen your security from insider attacks, and make it much harder for outsiders to get in, thus they are very much worth to invest in.
- Make sure your accounts are protected
Any security measures you take will prove ineffective if you don’t follow the basic best practices on how to keep your accounts secure. These practices include:
- Changing default passwords as soon as you can – those passwords are usually freely available on the web and are the first thing perpetrators try when they want to get access to your network.
- Setting a unique strong password for each account – make sure that none of your employees use their password for any other accounts, and make sure that each password is fully distinct.
- Frequently changing passwords – there is no way to know for sure, whether the password is still secure or not. By periodically changing all passwords, you will greatly strengthen their protection.
- Prohibiting password sharing – make sure that your employees are prohibited from sharing passwords with each other. While sometimes it may be more convenient to simply use another account, such practice should definitely be discouraged.
- Prohibit account sharing – make sure that employees cannot share their accounts between each other, and avoid the situation when several people are using a single account.
All of the abovementioned measures make it much harder for an employee without proper credentials to actually get access to sensitive data. They effectively aid in protection from inadvertent mistakes and also make it harder for external perpetrators to hack your system. Thus, all of these measures should definitely be implemented by every company.
- Employ user action monitoring software
Probably the best insider threat detection and management tool in your arsenal is user activity monitoring software. These are tools specifically designed to give you full visibility into actions of each particular user that works with monitored endpoint. Such systems provide video recordings of user screen, allowing you to see user actions the way they saw it when they committed them, making it possible to investigate suspicious incidents and detect malicious user activity.
There are several different technical approaches to user monitoring – agent-based and agentless systems. Agent based systems can provide more data and are usually easier to deploy, as they do not require any changes to your existing network configuration, while agentless solutions may offer a slight performance boost to workstations at the cost of providing less data, and requiring you to route all your network communications through a single server.
Some of those tools use behavior analytics to discover suspicious incidents, which often leads to a lot of false positives, while other solutions use customizable alerts, which are often fairly reliable, but require some tweaking to set up.
User action monitoring tools often suffer from the same problem as access management tools – many of them are quite expensive to deploy. However, there are also affordable user monitoring solutions out there. Solution, such as Ekran System combine affordable deployment for companies of any size with rich feature set that incorporates basic access control, thus making it a great solution for any company willing to save cost.
- Keep an eye on privilege users
In an ideal world, you would have as few privileged users as possible – all users would be assigned the lowest level of privilege, and it will be escalated only when necessary.
Sadly, in practice, this is rarely the case. People are often given more privileges that they need. Another widespread scenario – people, who no longer need access to sensitive data are still retaining it. Moreover, sometimes people who were terminated retain their privilege access and can get into the system and use your sensitive information in any way they want without any supervision.
While privilege users tend to be the most trusted employees in the company, it is also important to understand that they are the most dangerous, as they can easily compromise your data and cover their tracks. Thus, it is not only important to correctly manage user privileges, revoking them when they are no longer needed, but also to keep an eye on the actions of privileged users.
For this task you need to employ a user monitoring software capable or recording user actions regardless of their level of privilege. Such software will be able to give you a proper insight into what your privilege users are doing with your sensitive data and will allow you to detect insider threats and react to them in a timely manner.
- Secure third parties
Apart from privilege users, another dangerous category is third parties. Most companies have extensive list of sub-contractors, distributors, partners and affiliates that have access to the corporate network from a remote location. Any such user is a huge security risk, because even if your network is protected, their computers may be not.
Thus, it is important to limit their access as much as possible and keep an eye on their actions in order to determine, whether they’re doing anything malicious or not. This is where a user monitoring software can come in place. By simply installing an agent to the server that these remote users are connecting to, you will be able to monitor all their actions and see whatever they are seeing, thus having a clear idea on what exactly they are doing.
Skimping on third party protection can cost you dearly in the long run, thus it is important to secure your endpoints as much as possible whenever you are giving legitimate access to any people from the outside.
- Educate users
The last but not least thing that you can do is to make sure that your own users are well aware of the danger of insider threats. As mentioned above, malicious insiders are only one part of the problem, with inadvertent mistakes and negligence being the other one. Users will often send sensitive emails to the wrong address, click on a link in a spam e-mail, thus inviting malware into the system, or give their credentials to the perpetrator during a phishing call.
The best way to both avoid IT security attacks and inadvertent mistakes is to make sure that your employees are know about the danger and are ready to face it. Conduct awareness training. Educate your employees on the latest threats your company faces and best practices that they should adhere to in order to prevent it. Enlist the help of your employees and make them a part of your ongoing cybersecurity efforts.
Conclusion
We hope that we made it clear in this article not only that insider threats are no-joke, but also that dealing with them is not as complicated and as expensive as many people think. A set of simple security practices (many of which help to also strengthen the security of your digital perimeter) and a couple of affordable solutions is all it takes to protect your company from a very serious and potentially very costly threat.
Whenever you decide on your security strategy for the next fiscal year, make sure to include insider threat protection in it too. Evaluate risks and get your defenses in check – this will allow you to strengthen your overall security posture and sleep soundly at nights, knowing that your company sensitive data is safe.
[su_box title=”About Marcell Gogan” style=”noise” box_color=”#336588″][short_info id=’100093′ desc=”true” all=”false”][/su_box]
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.