Insider Threat: A Guide to Detect and Prevent Insider Threats

Philip Robinson by   02.12.2019   Data Security

Whether you are a top-secret government branch, enterprise brand or a small business, insider threats should be top of your list of concerns right now.

It doesn’t matter if you’re storing documents with market disrupting business plans, proof of alien life or even just a few credit card numbers; the value of data has grown exponentially over the last 5 years.

You may think that your employees would never be so stupid as to share your sensitive data with third-parties. Unfortunately, history tells us that they will. With the price that data fetches on the black market being at an all-time high, and organizations still not taking data security as seriously as they should, data breaches are happening all the time. And consistently we are seeing that the cause of those data breaches are insiders – your own employees.

What is an Insider Threat?

Insider threats can essentially be defined as a security threats that starts from within the organization as opposed to somewhere external. This often takes the form of an employee or someone with access to a privileged user account. Insider threats do not necessarily have to be current employees. Anyone with current access or who once had access to sensitive information can be considered a potential insider threat.

Types of Insider Threat

Insider threats can take many forms, from an organized attack on a company’s trade secrets to completely unintentional data leakage. Usually, an insider threat will simply look like one of your employees doing their job.

The sheer volume of sensitive data that passes through your organization means that you’re likely to have a large potential attack surface for insider threats to originate from. Your employees with privileged access will probably have to access and move that data at some point as part of their role. A lot of the time, this data isn’t shared securely, often with employees relying on cloud services or their unsecured email.

If your organization has a large number of users with privileged levels of access, then it’s just a matter of time before an opportunist steals data for personal gain or a negligent employee shares it unwittingly.

Here are some of the types of insider threats to watch out for:

  • Disgruntled employees: Employees leaving the business, passed up for a raise or promotion, or anyone feeling disgruntled may look to take that out on the organization itself.
  • Malicious insider: An employee that looks to actively harm the organization through targeted attacks for any reason.
  • Negligent Employee: Someone that ignores security awareness training, best practices and is likely to be the one that falls for that phishing scam.
  • Whistleblowers: Insiders that believe they are doing the right thing by leaking the intellectual property or business secrets of the organization

The Cost of an Insider Threat

Insider threats are one of the most common causes of data breaches worldwide, and they can often lead to the most expensive data breaches. The actual cost of the breach depends on the type of insider threat.

Research conducted by the Ponemon Institute suggests that an insider threat originating from a negligent employee costs, on average, $283,281 per incident. If the incident involves an insider intentionally stealing data, that cost rises to $648,845.

The cost of insider threats in general rises depending on the size and sector of your organization. Larger organizations with over 75,000 people spent on average $2,081 million on recovering from an insider threat. Organizations in the financial services, energy and utilities, industrial and manufacturing services were all the most effected.

Not something you can afford to ignore!

Preventing Insider Threats – Why It is Difficult?

Due to the nature of an insider threat, they can be almost impossible to completely prevent. An employee with legitimate access to sensitive data may become an insider threat at some point in time. The best way to minimize your potential attack surface is to operate on a policy of least privilege where users only have access to the data they need to do their job.

Take a step back and look at who really needs to have access to customer information, PII and trade secrets. Communicate within departments so that when an employee leaves or changes positions that their privileges are revoked or amended accordingly.

Detecting Insider Threats – Why It is Difficult?

Insider threats are automatically more difficult to detect because they can just look like your employees doing their job as normal. A former employee using their old credentials to log in and copy files and folders they have access to will not raise any alarms. Insider threats like this can often go undetected for years and total up serious damage.

The best way to detect an insider threat is to monitor user behavior and generate alerts when anomalous activity is spotted. Unfortunately, native auditing is not an appropriate method to do this, as it lacks the reporting capabilities and is in general too much of a hands-on method.

What you really want to look into is using a Data Security Platform that proactively and continuously monitors sensitive data, permissions and user behavior.

LepideAuditor – A Complete Solution for Insider Threat Detection and Prevention

There are four steps you should take to improve your insider threat detection and prevention. All of these steps can be achieved with Lepide’s award-winning Data Security Platform – LepideAuditor.

First, you need to know where your sensitive data is. Discovering and classifying sensitive data as it’s created will help you focus your data security efforts on the data that matters most and avoid taking a blanket approach.

Secondly, once you know where this data is, you need to know who has the ability to access it. These are your potential insider threats. These are the people that you need to watch like a hawk. It doesn’t matter if they are a junior admin or the CEO himself, the security team has a responsibility to treat every privileged user as a potential insider threat.

Next, determine what normal user behavior looks like for these employees and set up alerts for when behavior deviates from this norm. This doesn’t necessarily have to be a spike in activity, even a single point anomaly can be a potential data breach.

Lastly, ensure that they environment surrounding your sensitive data is as secure as it can be. Limit the number of open shares (or get rid of open shares completely if you can), clean up stale accounts, and monitor the health of your critical systems to ensure that your environment isn’t putting your data at risk.

Want to see us demonstrate how LepideAuditor helps detect insider threats? Book a personalized demo with one of engineers today.