As organizations across the globe continue to grapple with Covid-19 and the abrupt shift from a predominantly office-based working environment to a predominantly remote working environment, the question of how to effectively navigate insider risk has become a hot topic.
NOTE: I will use the terms “insider risk” and “insider threat” interchangeably. Even though some consider an insider threat to be a subset of insider risk, they still essentially refer to the same problem.
We now live in a world where our employees and our data could be theoretically located anywhere in the world, and thus, our focus has shifted from a perimeter-based security paradigm to one that is centered around people and data. Insider risks can originate from many unexpected sources. They can be initiated by former employees, agency staff, service providers, supply chain partners, and even managers and executives. Solving the problem of securing sensitive data in such a complex, dynamic, and distributed environment requires a distributed and multi-pronged approach.
Get the Free Guide Explaining How to Mitigate Cyber Attacks
What is Insider Risk?
One of the first challenges we face when it comes to dealing with insider risk is that it’s hard to define what an insider risk actually is. For example, insider risks are typically broken up into three categories; negligent, malicious, and compromised. What you might notice is that most security threats are, in some way or another, caused by negligent, malicious, or compromised users.
For example, we wouldn’t typically categorize an SQL injection attack as an insider risk. However, if the attack exploited an unsecured web form, then one could argue that it was still technically an insider risk, as the programmer responsible for securing the web form failed to scrutinize their code and test the form properly. As ambiguous as the term might be, we can define an insider risk as a threat that comes from the people within your organization.
What is the Scale of the Problem?
According to the 2020 Verizon data breach report, 30% of data breaches are caused by internal actors. 62% of which were the result of negligence, 23% were malicious and 14% were caused by compromised user accounts. It’s important to note that even though the majority of breaches were caused by employee negligence, breaches caused by malicious actors or compromised user accounts tend to be more costly to address, and so they should be treated with the same level of importance.
What Types of Insider Risk Pose the Greatest Threat?
A recent survey suggests that 42% of organizations believe that “Accidental data leak” is their primary concern, with a further 30% citing “Malicious data theft.” Other options included application and system misuse, financial and legal fraud, and nation-state espionage. It stands to reason that accidental data leaks are the most likely form of insider threat that you would experience. However, malicious data theft may pose more risk in terms of the actual damage that could be caused.
Tips for Managing Insider Risk
As mentioned previously, most security incidents could, in some way or another, be attributed to a negligent, malicious, or compromised insider. As such, it is important to prioritize as opposed to trying to “boil the ocean”, as they say.
Below are some of the most important areas that need to be addressed in order to mitigate, respond and recover from insider threats.
To prevent data loss and theft, it is imperative that you know exactly what data you have and where it is located. As such, the obvious first step would be to discover and classify your sensitive data, as doing so will make it easier to assign the appropriate access controls and keep track of any activity involving your most critical assets.
Restricting access rights
One of the dangers of compromised users is that an adversary will have “legitimate” access to your network, and it can take months until your security team finds out about it. It is always a good idea to ensure that access permissions are granted on a need-to-have basis, and when they are no longer relevant, they must be revoked, as that will limit what the adversary can do were they to gain access to your network. Likewise, it’s a good idea to automate the process of identifying and disabling any inactive user accounts.
Keep a close eye on who has access to your sensitive data, and what they are doing with it. Make sure that you keep have a detailed and immutable log of all relevant activity, and receive real-time alerts anytime your sensitive data is accessed, shared, moved, modified, or removed.
Cloud storage configuration
Many data breaches are caused by misconfigured cloud storage containers. As such, you must make sure that you carefully review the configuration options before storing sensitive data in the cloud.
Security awareness training
If employee negligence accounts for the majority of insider risks, then it goes without saying that security awareness training is a top priority. At a minimum, employees must be trained to identify spam, phishing and social engineering attempts.
All sensitive data should be encrypted, both at rest and in transit. That way, if an employee accidentally loses a portable device containing sensitive data, anyone who finds the device will need the decryption key in order to access the actual data.
It’s sometimes the case where a former employee has access to sensitive data even after they have left the organization. In some cases, the former employee will exploit their access to steal or expose sensitive data – perhaps for the sake of revenge, for financial gain, for use in their new job, or for some other reason. Whatever the reason, you must ensure that you have well-documented procedures to follow when terminating an employee’s contract.
In addition to the points mentioned above, you will need to ensure that you know what devices you are ready to support. You will need to establish a set of ground rules so that your employees know what they can and can’t do, and what you (the employer) can and can’t do. For example, employees must be made aware of any auditing software, remote wiping software or mobile device management (MDM) software installed on their device. You must also ensure that all devices are password-protected, and have policies in place that stipulate what applications a user can and can’t install on their device.