An insider threat is any threat that is posed to your organization by your own users. They can take many forms and can be both malicious and accidental. However, in general, insider threats can go unnoticed for long periods of time and the resulting data breaches can cause untold damage to both the reputation and bottom line of a business.
According to an Insider Threat Report produced by CA Technologies, over half of all organizations have experienced an insider threat-based attack in the last 12 months. Perhaps more concerning is that over 90% of those surveyed claimed to feel vulnerable to threats in the future.
Seeing as insider threats resulting in data breaches can cost a business millions of dollars, it’s important to know if you are at risk. Here are 8 signs that you could potentially be the next victim of a pesky insider threat.
1. You’re Going Through Organizational Changes
Usually, there are times in an organization’s lifecycle that point to an insider threat being more likely. If your business is undergoing a major change (an acquisition, redundancies, structural changes) then you need to double down on your insider threat detection and prevention.
Users may intentionally use the confusion and chaotic nature of major organizational changes to hide malicious activity. Similarly, something like a major structural change could lead to users having excessive permissions to sensitive data; drastically increasing the risk of an insider threat.
2. Someone Is Behaving Strangely
If a user is planning on becoming a premeditated, malicious insider threat then there may well be physical warning signs. Perhaps a user is visibly unhappy at work, complaining about money troubles, acting in an unprofessional manner or suddenly working unusual hours (such as at the weekend).
If you spot a user that is very openly behaving in a strange way or being derogatory towards the organization, the chances of them being the cause of a data breach improve drastically. Best to keep an eye on what these users are getting up to where your data is concerned.
3. Someone is About to Leave the Company
Any user that hands in their notice, is on gardening leave or has just been fired, is a huge risk to data security. If the parting is on rocky terms, then a leaving employee may be tempted to abuse their privileges for personal gain, or to hurt the company.
The best way to tackle this threat is through interdepartmental communication. The relevant department should immediately inform both HR and the IT/Security team that this user is leaving. The IT/Security team can then take the appropriate steps to revoke any access that user has to sensitive data.
4. An Employee is Accessing Sensitive Data
If you are proactively and continuously monitoring permissions to your most sensitive data (as is best practice to do), you will know which of your users currently have access and when these permissions change.
As a general rule of thumb, try to limit access to sensitive data as much as possible. Those users who do qualify for elevated permissions need to be monitored closely, even if they are administrators or C-Level executives. Anyone who is accessing sensitive data is a potential threat, even if they would never intentionally harm the organization.
5. You Are Seeing a Lot of Failed File Reads
High numbers of failed file reads are an indication that a user is attempting to access data that they do not have the permissions for. In some cases, a user could be trying to gain access to a file that contains valuable data in an attempt to copy, move or modify it.
Ideally, you should have a solution that enables you to set a threshold alert that will notify you whenever a large number of failed file reads occur over a short period of time. You should also be able to detect when a user attempts to access a file for the first time. Which leads me into the next point.
6. Anomalous User Behavior Related to Data Interactions
This one is pretty obvious. If you spot a user doing something they have never done before, it could be a sign that a data breach is underway. Some sophisticated security solutions are able to learn what is “normal behavior” for a user and will notify you whenever a single point anomaly occurs.
7. You Know Someone Else’s Password
Chances are, if you know someone else’s password in your organization, then there is a culture of password sharing and most likely a relaxed password policy. Attackers know that their easiest route to sensitive data is through privileged user accounts. Therefore, the passwords to these accounts need to be complex and regularly rotated.
8. You Have an Unnecessarily Large Attack Surface
Whilst performing your IT risk assessments (which should be done regularly), you may spot environment states that could pose a risk to your data. Large numbers of open shares, stale users and stale data all contribute to creating a larger attack surface for insider threats to exploit. If you identify these states, then you need to take action to clean up your environment.
These are some common signs of insider threats, but there are many more that we haven’t listed. If you still feel vulnerable, we recommend you come take a look at our insider threat detection and prevention solution – LepideAuditor. It could be exactly what you need to have in your arsenal to help you better defend against the most common cause of data breaches.