While cybercrime continues to escalate, many of today’s most damaging security threats are not the result of the traditional perception of malicious outsiders breaching a network to deliver malware. While that risk is real, a growing number of organizations are concerned about security risks resulting from insiders – individuals known to the organization – who have access to sensitive information and systems. This insider risk challenge is highlighted in a recent report on Insider Threats.
Insiders who introduce risk into an organization can generally be broken down into three broad categories:
These are users who willfully cause harm through such activities as fraud, data theft, IP theft, and sabotage. Malicious insiders can include disgruntled employees with a grudge, an individual with a political agenda, a compromised user being leveraged to commit cyber espionage or cyberterrorism on behalf of a competitor, political group, or nation-state, or simply someone who is behaving badly for monetary gain. When queried, 60% of companies indicated that they were concerned about this threat.
65% of companies expressed concerns about this insider risk. This is an individual who, while not malicious, is still willfully side-stepping policy for the sake of productivity. These activities can range from creating a secret backdoor into the network so they can do things like troubleshoot systems or work remotely, to implementing an easy-to-compromise password system for networked devices, to failing to check configurations for errors that then get duplicated to other devices.
The risk from these users is high since they almost always have privileged access to systems and devices, such as databases and file servers. While they may not intend to harm the organization, their negligence can have a significant impact on the organization. Improperly secured systems, for example, are much more likely to be discovered and compromised by attackers and malware. And improperly configured devices on their own can cause critical systems to fail.
These individuals have simply made a careless mistake that leads to an inadvertent system failure, data breach, or accidental breach. This can be something as simple as clicking on a malicious attachment inside a phishing email or browsing malicious websites, to forgetting to secure a public-facing router or server. Like negligent users, the more privilege a user has the bigger the impact that can result from their carelessness. And because this behavior is entirely inadvertent, it is much more difficult to prevent or prepare for. This is why 71% of organizations worry about this challenge.
As explained previously, privilege is directly related to the potential impact of an insider threat. At the top of the list are privileged IT users and administrators. Not only do they have greater access to the inner workings of systems and devices, but their behaviors can result in far more damage than that caused by others. However, even a regular employee can have a significant impact on a network, as can contractors, service providers, and privileged executives.
Many of today’s modern attacks are designed to escalate privilege, so even a temporary worker with severely restricted access can still create serious havoc inside an organization. That threat can be compounded when more than one risk is present, such as a user who introduces malware into a network that also has implemented weak passwords or users misconfigured devices.
In addition to the general mayhem that can be caused by an insider, there are specific systems that are the most likely to be targeted. Because the majority of attackers are financially motivated, financial systems are at the top of the list of resources at risk. However, for industrial espionage attacks, research and development resources and customer support systems are top targets.
The one thing almost all attacks have in common, however, is the targeting of data – whether to steal it or destroy it. And the king of data is customer information. User PII (personally identifiable information) that can be extracted and sold on the black market can generate significant financial rewards for an inside attacker. Close seconds are intellectual property that can be sold to competitors or held for ransom and financial data that can be used for such things as insider trading.
Concerns about insider threats aren’t just a fire drill. Over two-thirds of organizations believe that insider attacks have become more prevalent over the past year, with nearly half of companies reporting having experienced between one and five critical cyber incidents caused by an insider in the past twelve months.
The reasons range from a lack of employee awareness and training to insufficient data protections in place. One of the most concerning trends, however, is the amount of data that now moves outside the traditional data center perimeter due to the growth of mobile devices, increased reliance on web applications, and the rapid transfer of data to the cloud. And given that a well-meaning employee with a credit card can subscribe to a cloud service that IT isn’t even aware of and then store data there, something known as shadow IT, the potential for the negligent or even malicious compromise of data continues to escalate.
The biggest challenge with these threats is that they are so difficult to identify. These insiders already have credentialed access to the network and services, so few - if any - alerts are triggered when they begin to behave badly. And given the increased amount of data already leaving the traditional network perimeter, it is easier to hide data theft than ever before.
There is no magic pill to make this challenge go away. It requires planning, implementing, and repurposing technologies, and gaining a holistic view across your network – at a time when many organizations are suffering from visibility challenges resulting from digital transformation and vendor sprawl. Here are 10 strategies that can be implemented to minimize the risk of insider threats:
Train employees to see and report suspicious activity. In addition, run background checks on users being given privileged access to digital resources.
Implement configuration management tools that can quickly assess and identify improperly configured devices.
Monitor data access and file transfers and invest in file tracking technologies.
Implement a data loss prevention (DLP) process and related technologies.
Encrypt data in motion, in use, and at rest. Invest in technologies that can inspect encrypted data at business speeds.
Use deception technologies and honeypots to detect activity that strays from assigned tasks.
Attackers continue to apply pressure across the entire attack surface, looking for a lapse in the protection of vulnerabilities to exploit. By combining deterrence and detection with automation, however, organizations can take a much more proactive approach to detecting and mitigating insider threats – all while keeping critical security personnel focused on higher-order tasks such as strategic planning and threat analysis.
Learn more about how to identify and mitigate the risks caused by insiders by reading our recent Insider Threat report.