10 Aug Insider Threats: An Enemy Within
Insider threat is an intentional or unintentional misuse of organization’s data by an insider – an employee, a former employee, a subcontractor or a partner – anyone you have kindly granted access to. While ransomware or cyber attack may sound more scary, the vast majority of security incidents are due to people – both malicious and negligent. No matter the intent, the outcomes of insider threats are often devastating: 53% of companies surviving insider threat in 2017 estimated the remediation cost to be $100,000 and more, and 12% of those estimated the cost to be higher than $1 million. Today, GDPR being enforced, these costs may be even higher. Let us consider what forms insider threats may take and what you can do to fight them.
THOSE MANIFOLD INSIDER THREATS.
As it has been mentioned, the abuse of the access or the data breach may be unintentional. For example, insiders may make an “honest mistake”, that is send or forward the message with sensitive information to the wrong address. Following malicious links in spam emails, employees may fall for phishing schemes, thus, handing over their credentials to criminals, which may further access organisational data. Careless use of technology or bringing unknowingly the infected devices from home may invite malware to the organisational system, ransomware in particular. Security hazards may also arise when employees connect to hostile or potentially hostile networks using the devices, which hold organisational data.
On the other hand, the data breach may be intentional. Insider threats performed by malicious insiders make up about 20% of all incidents. There are many reasons why an insider would commit such crime. First of all, they may simply grasp the opportunity and sell the stolen data. Insiders may be also lured into a deal by your competitors. At the same time, some leaks and breaches are not for money, but to repair the perceived injustice. For example, a former employee or an employee who has not been given the well-earned promotion may leak the data to revenge on the organisation. At the same time, an employee may see oneself pursuing a noble goal of installing social justice. Edward Snowden, leaking critical data on government surveillance is one of the most prominent examples. Last but not least, an employee may decide to use organisational data or contact list to start his own business.
INSIDER THREATS ARE ON THE RISE. WHY?
Although insider threat behavior has been known for centuries, recent advancements in IT industry create a particularly favourable conditions for the growth of insider threats. In particular, experts point to these contributing factors:
- A dramatic increase in the amount and complexity of IT. Now, organisations employ multiple software and cloud-based services in their operations, making it difficult to monitor how these are managed by employees and third parties. What is more, many organisations now outsource some processes to offshore individuals and teams, which further increases the chances of insider threat. The research has shown that abusing access is less difficult for a personal working distantly that for the one working in the corporate office, surrounded by coworkers. For example, in 2005, the staff of the call center to which Citibank outsourced its work collected personal data, PINs and account numbers of Citibank account holders and further stole $350,000 from their accounts.
- Use of personal devices at work. While employees may be instructed to avoid threat when using computers, they may be more careless when using their smartphones for work considering them particularly “personal” and, thus, more secure. Nevertheless, mobile malware infections have sharply increased and now pose a considerable threat not only to their holders, but also to their employers. In addition to smartphones and tablets, issues may arise from using a flash drive or a phone memory card. For example, in 2008-2010, Iran’s uranium-refinement facility was sabotaged by the Stuxnet computer worm, which infected the system disconnected from the internet via USB flash drive.
- Lower risks to be detected. It sometimes takes years to detect an insider threat. Previously, in the pen and paper world, people had to come to archives or director’s room, where important files were stored and had to explain their presence there is caught red handed. Now, the databases are easily accessible anywhere and anytime and it is very difficult to tell if people are doing something malicious or simply their work when accessing the data. While it is difficult to catch insiders red-handed, it is almost impossible to catch them post-factum, as their know how to clear the evidence editing or deleting logs. This makes it difficult to prove insider’s guilt at court, which, in turn, makes them more bold.
- The rise in cybercrime. The rise of insider threats is also associated with the overall rise of cybercrime and its sophistication. For example, phishing schemes, which drag organisations into insider threat, have become more difficult to identify for a lay unsuspecting user. In addition, inders may easily become part of a cybercrime-as-a-service industry, being instructed on how to carry out a fraud and immediately paid for their efforts.
- The role of social media. Social media has contributed to the leaks from organisations too. Most importantly, social media allows to recruit insiders and coax them into accessing and providing sensitive organisational data. Another phenomenon is the so-called “romance scam”, in which employees are persuaded or tricked into giving away organisational secrets by the person they “meet” on the dating website.
FIGHTING INSIDER THREATS.
Although “insider threat” stands for an accomplished act of harming an organisation, the term skillfully underlines the core of the problem – there is a continuous threat, which cannot be eliminated upgrading to a better antivirus or operational system. Still, there are definitely some ways to minimise the risks. They may be classified into organisational and technological.
- Background checks before hiring. Simple background check including consideration of person’s social media profile and conversation with a former employer might help you eliminate risky application that, if hired, may pose insider threat to your organisation.
- Use a least-privilege principle. Do not grant privileged access by default. The less privileged users you have, the easier it is to control them. Thus, a good practice is to grant access only to the data, which is absolutely necessary for the fulfillment of work. If the employee or a contractor will need access to do the work, but might not need it later – it is better to create temporary accounts or permissions.
- Have a documented policy and the associated stuff training. Make your staff be aware of the rules they should follow regarding the security of organisational data and emphasise that compliance is obligatory and no negligence will be tolerated (mind, that they make 70% of all security breaches). Make employees sign non-disclosure statements. Explain to the stuff that their activity is monitored. Establish and communicate clearly a liability for breaching organisational security.
- Conduct regular checks on awareness and compliance. Conduct regular random checks of what employees know of insider threat, security policy and practices, use of personal devices for work, and other relevant information. If employees are to erase sensitive data from devices and change a password each month, check if they do and penalise for noncompliance to turn the demand into a habit.
- Establish a culture of trust. Enable employees to voice their concerns and dissatisfaction and make sure your organisation follows best standards regarding promoting and releasing employees, avoiding making some of the (former) employees feeling resentful. Communicate organisational goals and performance: if employees know nothing about what is going on on the top, they are likely to think the top will never know what they do, and vice versa.
- Make the system require employees to set unique complex passwords. Preferably, establish a two-factor authentication, so that no one can use stolen credentials or simply claim his credentials were stolen.
- Use action monitoring software, which will issue immediate alerts when the threat is suspected, for example, if the user performs uncommon actions, performs unauthorised access, downloads anything from a system, etc. Such software record all the actions of a user and, thus, serve reliable evidence of a mistake or a crime.
- Automate the process of wiping devices. The deactivation of the employee records in the Microsoft Active Directory, which should be done when an employee leaves an organisation, should also trigger the automatic wiping of the data off their devices.
Insider threats are the most widespread cyber security threats and it takes much to mitigate them, as the prevention lies not only in the technological, but primarily in organisational solutions, which start as early as making a hiring decision. Although you may not have a disguised enemy within, you may definitely have a busy user undermining the importance of cyber security and, thus, potentially causing devastating damages to the organisational budget and brand. Following the recommended organisational and technical measures will not make you immune to insider threats, but it will definitely help to minimize them and their outcomes.