It’s not always easy to define what constitutes an insider threat, as most security incidents are, in some way or another, the consequence of either negligent or malicious employees. What we do know is that insider threats continue to plague organisations across the globe.
According to a recent report by CA Technologies, a majority (53%) of businesses have experienced an insider attack in the past 12 months. The question remains, what can we do to better manage the security threats that emerge from within?
Organizations should carry out comprehensive background checks on new or prospective employees. These checks should include gathering information about any criminal activities they have been involved in, their work history, references from previous employers, and all certificates and qualifications they present should be verified. Essentially, you want to make sure that they are honest and reputable.
Given that there may be legal issues associated with carrying out background checks, it might be a good idea to outsource these checks to a trusted third-party, such as a lawyer or private investigation firm. Any checks that are carried out must also be done in a way that is deemed fair and non-discriminatory, otherwise it could result in a backlash, which might even manifest in the form of a security incident.
Some companies get around this by carrying out the checks once a position has been offered. Of course, employees must be made aware of any such conditions in advance, and checks must be carried out in a timely manner.
Risk Assessments and Policies
Organizations must carry out a formal risk assessment, which involves evaluating the information they store and process. They will need to decide who should have access to it, why, and how. They will need to compile a list of employees who have, and should have, access to certain critical assets, and under what conditions.
Organizations will need to implement security policies that define the roles and responsibilities of their employees, and these policies must be clearly communicated and enforced. The enforcement of such policies must be seen as being fair, in order to mitigate the chance of antagonizing staff members.
Monitoring Suspicious Events
It is crucial that organisations have as much visibility as possible into the events that take place on their network. They need visibility into the traffic that enters and leaves their network, and traffic that flows between endpoints. Perhaps more importantly, they will need visibility into who, what, where and when, changes are made to their critical assets.
For monitoring traffic flows, there are various tools which can be used such as Firewalls, Intrusion Detection & Prevention Systems (IDPSs), as well as Data Loss Prevention (DLP) solutions, which can detect and respond to unencrypted data, as it leaves the network. Additionally, SIEM solutions can be used to aggregate and correlate log data from multiple sources, and alert on events that are suspicious. These solutions are no doubt very useful; however, these solutions alone provide limited protection against malicious or negligent insiders.
Organizations must focus their attention on User Behavior Analytics (UBA), which, as the acronym suggests, is based on monitoring user behavior. Sophisticated DCAP (Data-Centric Audit & Protection) solutions provide a wealth of information about how your critical data is being created, accessed, modified and deleted.
On top of which, they provide a detailed summary of events that relate to access privileges, such as how they were created and when they change. DCAP solutions will also provide real-time alerts and customizable reports, to ensure that you have visibility you need, when you need it.