I’m sure you already know by know what an insider threat is and the risks they pose to your organization, so I won’t go into too much detail. However, it is worth knowing that insider threats mainly fall into three categories; the malicious attacker, the opportunist and the careless employee. Understanding the different reasons why insider threats occur can help you to better prevent them from causing you serious damage.
The Malicious Attacker is perhaps the one most commonly reported on in mainstream press. Because the intrinsic, monetary value of data is now well documented, some of your users likely understand the value of it on the black market. Malicious attackers are usually financially motivated and will abuse their levels of access to sensitive data to sell it to the highest bidder. The main targets for this are healthcare records and credit card information, but other forms of personally identifiable information (PII) can fetch a similar price. Suffice to say, these people should never be trusted with the keys to the kingdom.
The Opportunist may not be as premeditated as the malicious attacker, but they can be just as dangerous. Usually they are not originally or solely motivated by money, and do not go out seeking to abuse their privilege. It might be that they happen upon a security vulnerability that they just can’t help exploiting, or they know they are up for the chop and want to get revenge before being fired. It may even be that they see themselves as a kind of vigilante, acting on behalf of the public as a whistle-blower or trying to teach the organization a lesson.
The Careless Employee is probably the most common cause of data breaches, and one of the least talked about. Let’s face it, your users probably don’t care as much about the security of sensitive data as you do. They likely don’t understand why certain password policies are in place, why not to click on malicious email links, and why they should be extra careful when handling PII or confidential corporate information. If you fall victim to an insider threat, it is very likely that the cause was accidental.
Whatever the reason, insider threats can be mitigated and, in many cases, prevented through a combination of the following five techniques.
1. Automate Data Wiping
When an employee leaves the organization, their Active Directory account is typically deactivated, as it is no longer required. However, the data they have been accessing and storing on their devices (either company issued or personal) still needs to be wiped. You don’t want a disgruntled employee, for example, still having access to business-critical, confidential or valuable corporate information.
Unfortunately, many organizations forget this part of the process, or do it manually (which can be slow and difficult). It is always wise to ensure that you have the most up-to-date mobile device management software, identity systems and security tools in place to automate these processes for you.
2. Interdepartmental Co-Operation
Along the same lines, when an employee leaves the organization or changes roles within the organization, they either need their current permissions reviewed or revoked completely. This doesn’t always happen due to there occasionally being a gap in communication between departments. HR should ensure that the relevant IT and Security staff are notified of these incidents so that changes to permissions can take place in a timely manner.
Similarly, HR, Security, IT and other relevant staff (including high-level staff) should regularly go through the roles and responsibilities of employees so that the IT/Security team can make more appropriate judgement calls on which permissions to hand out. It’s likely there are some employees currently in your organization that have excessive levels of privilege because the IT team were never given full context of their roles and responsibilities.
3. Auditing, Monitoring and Alerting
Whether the threat is malicious, opportunistic or accidental, the best way to ensure you can detect and prevent insider threats is through continuous and proactive auditing, monitoring and alerting of changes to systems and data.
You need to ensure you know who has access to critical data to find out which of your users should be watched the closest. You also need to be aware of whenever changes to these permissions occur. Once you know who has access to what data, you need to keep an eye out for any unwanted, unauthorized or potentially damaging changes occurring to that data and the surrounding systems.
Unfortunately, to do this manually with any meaningful results simply will not be possible, as the processes are overly complex and produce a lot of noise. Deploy a third-party change monitoring solution, like LepideAuditor, to automate this process. Such solutions can provide you with invaluable pre-defined reports, alert you of changes in real time, and give you the tools you need to take action.
4. Operate on a Least Privileges Model
One very common cause of insider threats is when users are awarded access to data that is being the scope of their role, and they abuse those permissions. This can be very difficult to detect, as technically their accounts are accessing that data legitimately.
The best way to mitigate the risks of privilege abuse is to operate on a model of least privilege, where users only have access to the data and systems they need to do their job, nothing more. You’re going to have to give some of your users access to the most confidential information, but I’m willing to bet there are numerous users in your organization currently with this access that do not need it.
5. Implement Awareness Training
This is perhaps the best way to deal with those employees that become insider threats through carelessness. The only real way you can get an employee to pay closer attention to security policies and processes is to give them regular training on why they are in place. If a policy exists with no reasoning behind it, in the user’s mind, they are far more likely to ignore it. However, train users on the consequences of ignoring the policies and they may actually take note. Training should also extend to the common cyber-security trends in the market so that they have a better chance of spotting a phishing attack, for example. It’s also wise to train an employee on the process of what to do if the worst happens and a data breach is discovered.