Enterprise Insider Threats and the Observer Effect

Last year, ransomware heavily dominated the international press with WannaCry and NotPetya becoming infamous examples of the evolution of malware. We are just over half way through 2018, but already we are seeing trends that suggest the most predominant cyber-security threat of the year will be that of the insider.

Already we have seen the effects of malicious insiders when, as reported earlier in the year, a disgruntled Tesla employee abused their privileges to steal sensitive data and distribute to third-parties. The insider in question also managed to tamper with Tesla code in what could have easily led to mortally dangerous circumstances for Tesla drivers and the SpaceX program. This kind of data breach serves to highlight the absolutely disastrous effects that an insider threat can potentially inflict.

The Two Types of Insider Threat

Generally, insider threats fall into one of two categories; the malicious and the accidental.

Malicious insiders may include disgruntled employees, whistle-blowers or simply over-privileged, untrustworthy, opportunistic users. Whatever the motive for the attack may be, the methods behind it are usually predictable. It’s likely that they have permissions to files and folders containing sensitive data (whether that is personally identifiable information or business secrets). These users will simply abuse the privileges they have to get access to valuable data and manipulate it in some way. Malicious insider threats can be very aggressive, quick and difficult to spot. They can also be both premeditated and opportunistic in nature. A user, for example, may find that they have access to a file they never though they would or should have access to. They could then use that opportunity to steal the data for personal gain.

Accidental insider threats usually come about as a result of carelessness. The insider does not intend to be the cause of a data breach but ends up mishandling sensitive data or exposing the organization to an incident. With these kinds of breaches, the main reason behind them is that users don’t understand the potential ramifications of their actions or the value of the data they have access to. This often leads to simple carelessness.

Insider Threats in Enterprises

You may think that enterprises are better equipped to deal with insider threats than SMBs, but I would argue that the opposite it true. Sure, most enterprises have huge cyber-security budgets to play with, but often the majority of that budget is spent fortifying the perimeter from external threats and deploying overly complex SIEM solutions.

In fact, more often than not, enterprises have a great deal of users that are capable of becoming insider threats and they struggle to keep a close eye the activity of those users. The fact that most insider threats exist due to over-privilege (users being awarded permissions to access sensitive files and folders where there is no real business need for them to do so) means that enterprises probably are the most at risk. The amount of sensitive data they store, the number of users with elevated permissions and the lack of easy communication between departments all adds up to a breeding ground for insider threats.

For example, in a company with 10,000 employees, if an employee changes their job role within the company, they may need a complete review of their permissions to determine what they need access to. This requires HR, IT and the department the employee is in to communicate and co-operate fully to ensure that the IT department knows that person’s role, the levels of access they need and what accesses to revoke. Unfortunately, logistically this isn’t always possible and often these situations go by without permissions reviews. This is how permissions could sprawl out of control in larger organizations.

How to Start Solving the Problem of Insider Threats

Despite insider threats being some of the most difficult cyber-security threats to completely eradicate, there are some things you can do to mitigate the risks of experiencing one.

For malicious insider threats, the best thing you can do is revoke levels of access down to the bare minimum. Operate on what is known as a Policy of Least Privilege (PoLP), where users only have access to the files and folders they need and nothing more. Sounds like common sense, right? I guarantee that if you were to review who has access to your sensitive data, you could pick out a few users who didn’t need it. Theoretically, only very senior staff members (such as Directors) would need to have access to files and folders containing PII, for example.

For accidental insider threats, the PoLP theory will also go a long way to preventing data breaches. However, as a lot of these breaches occur due to users not knowing the value of the data or how to handle it, a valuable method for mitigating the risk is through education. We’ve written a blog on this topic that goes through some of the key techniques you can use to make sure your security awareness training sticks.

The Observer Effect

One absolutely invaluable method for reducing the risks of insider threats is what we like to refer to as the Observer Effect. Simply put, if your users (especially your privileged users) believe they are being watched, they are far more likely to be careful and not purposefully abuse their privileges.

By deploying a third-party solution like Lepide Active Directory Auditor to monitor privilege user activities, you can get real time, actionable information on changes your most privileged users are making to your critical data. You can also determine who has permissions to sensitive files, folders and the systems surrounding them and be alerted if those permissions change. You can, if you are so inclined, monitor the screens of your users and send them warning messages when you spot something you don’t like.

Using a change auditing and monitoring solution gives you actual, tangible, valuable insight into what your privileged users are up to and will also feed into that Observer Effect. Once your users know such solution is in place, they will certainly think twice before accessing and modifying critical data.