Insider Threats Don’t Apply to Me…Do They?

Philip Robinson by   12.12.2018   Data Security

It’s quite frustrating (especially if you work for a vendor specializing in detecting and preventing insider threats) when organizations falsely assume that insider threats don’t apply to them.

Despite being responsible for around 30% of all cybercrime, insider threats don’t seem to get the same attention when it comes to security budgets as preventing external attacks, for example. It seems that both SMEs and Enterprise organizations believe themselves to be immune to such threats.

To be clear, the number of organizations beginning to take insider threats more seriously (particularly in the light of more stringent compliance regulations) is increasing year on year. However, education as to the causes and implications of insider threats is still failing to permeate through all departments, with the IT/security team tending to be the only department aware of the risks.

The lack of cybersecurity awareness is pervasive throughout the C-Suite and cascades down throughout the respective departments as a result of this. For enterprise organizations, if the Sales Director or the CMO aren’t abiding by good cybersecurity practices then that kind of behavior trickles down throughout the organization, creating numerous potential insider threats.

Conversely, many SME owners believe that, because they only employ a small number of people (or perhaps only even employ friends and families), being the victim of an insider threat is less likely. This just simply isn’t the case. Even if you can guarantee that none of your employees will opportunistically steal sensitive data for personal gain (which you can’t), the majority of data breaches perpetrated by insiders are done so accidentally.

I could write thousands upon thousands of words on how the best way to deal with insider threats is to adopt a data-centric approach to security (and, more specifically, a data-centric audit and protection solution like LepideAuditor) but you probably wouldn’t want to read it. It goes without saying that you will need a solution if you want to fully address the problem, but a solution on its own isn’t enough. There are some more educational steps you can take to mitigate the risks as well.

Know Who Your Employees Are

Before you hire anyone, regardless of their position within the organization, you can take steps to reduce the potential for insider threat behavior. The simplest of background checks should be done to assess criminal history, education, whether the employee has lied on their résumé or application and more. It would also be wise when calling references to ask about the prospects previous competency, relationship with co-workers, behavior etc.

This can sound like a lot of work (or expensive if you plan on outsourcing it) if you are regularly hiring people but you will only have to do these checks on those whom you offer the role to. Just be sure to mention that the offer is reliant upon the background check being satisfactory.

Now, I’m not saying that you shouldn’t hire people based on their background. Affirmative action is a good thing and someone’s background doesn’t necessarily mean that they will be a threat to your data security. However, it is probably wise to closely monitor those employees that you believe to be a bigger threat.

Getting to know your employees doesn’t stop after the hiring process though. Without being too invasive, you should make an effort to get to know your employees on a more personal level. What have they got going on in their personal lives that might lead to them becoming an insider threat? If John in Accounts has just gone through a tough divorce and is struggling financially, it might be wise to monitor his actions where sensitive files and folders are concerned.

Regular Risk Assessments

The process is simple; determine where your valuable assets are, who has access to them, what changes are being made to assets or the permissions and whether the environment around them is secure.

For the discovery phase, you should locate, tag and classify where your most sensitive data resides in your infrastructure. This could be anything from personally identifiable information to critical business secrets. Once you know where this data is, you can keep a special eye on who has access to it and what changes are being made to it.

Once you’ve located your sensitive files and folders, determine who has permissions to access and modify them. These people are going to be your biggest insider threats and the ones that could do you the most damage. Are you operating on a policy of least privilege? If not, then you need to review who has access to what.

Once you’ve identified the key players in your IT environment, it’s time to be the eye in the sky. You need to be proactively and continuously monitoring the activities of your privileged users and analysing users/entity behavior. Once you have established what normal behavior looks like for these users you will be able to identify how often anomalous events occur.

Finally, you should take notice of all the potential risks in your surrounding environment. For example, how many stale users do you have? Stale users could provide a doorway into your critical files and folders that an insider could use to cover their tracks.

If this sounds like a lot of work, that’s because it is. I’m not suggesting you deploy a data-centric audit and protection solution solely because I work for a vendor that sells one (not entirely, at least). It genuinely is the best way to ensure assess the risk of your IT environment, improve your data security and mitigate the risks of insider threats.

If you don’t believe me then let me show you. We provide a free risk assessment service that enables you to see where the gaps in your security are using our solution. It’s completely free, no obligation and we do all the heavy lifting for you. What have you got to lose?


Notice: ob_end_flush(): failed to send buffer of zlib output compression (0) in /home/lepidec/public_html/blog/wp-includes/functions.php on line 3818