Whether you are a top-secret government branch, enterprise brand, or a small business, insider threats should be top of your list of concerns right now.
It doesn’t matter if you’re storing documents with market-disrupting business plans, proof of alien life, or even just a few credit card numbers; the value of data has grown exponentially over the last 5 years.
You may think that your employees would never be so stupid as to share your sensitive data with third-parties. Unfortunately, history tells us that they will. With the price that data fetches on the black market being at an all-time high, and organizations still not taking data security as seriously as they should, data breaches are happening all the time. And consistently we are seeing that the cause of those data breaches is insiders – your own employees.
What is an Insider Threat?
Insider threats can essentially be defined as a security threat that starts from within the organization as opposed to somewhere external. This often takes the form of an employee or someone with access to a privileged user account. Insider threats do not necessarily have to be current employees. Anyone with current access or who once had access to sensitive information can be considered a potential insider threat.
Types of Insider Threat
Insider threats can take many forms, from an organized attack on a company’s trade secrets to completely unintentional data leakage. Usually, an insider threat will simply look like one of your employees doing their job.
The sheer volume of sensitive data that passes through your organization means that you’re likely to have a large potential attack surface for insider threats to originate from. Your employees with privileged access will probably have to access and move that data at some point as part of their role. A lot of the time, this data isn’t shared securely, often with employees relying on cloud services or their unsecured email.
If your organization has a large number of users with privileged levels of access, then it’s just a matter of time before an opportunist steals data for personal gain or a negligent employee shares it unwittingly.
Here are some of the types of insider threats to watch out for:
- Disgruntled employees: Employees leaving the business, passed up for a raise or promotion, or anyone feeling disgruntled may look to take that out on the organization itself.
- Malicious insider: An employee that looks to actively harm the organization through targeted attacks for any reason.
- Negligent Employee: Someone that ignores security awareness training, best practices and is likely to be the one that falls for that phishing scam.
- Whistleblowers: Insiders that believe they are doing the right thing by leaking the intellectual property or business secrets of the organization
Insider Threat Examples
We have already spoken about the categories that insider threats generally fall into, now let’s look at some examples of specific insider threats that might occur:
A recently fired employee: Perhaps you have recently fired an employee and they are not too happy about it. This person, who may feel betrayed or worried about their financial future, might take it upon themselves to abuse their existing permissions for either personal financial gain or to cause disruption to the business.
The way to overcome this challenge is to ensure that permissions are revoked as early as possible.
Someone with money troubles: Employers often never know whether their employees are going through financial difficulties. Unfortunately, there have been numerous cases of such employees copying sensitive information, deleting it, then attempting to sell it on the dark web for financial gain.
Another similar example is if an employee dreams of starting their own rival business, they may copy client information or intellectual property to aid them in doing so.
The only way to detect this kind of behavior is through anomaly spotting and user behavior analytics; spotting when sensitive data is copied, moved, modified and deleted.
Someone believing they are doing the right thing: Some employees take it upon themselves to reveal private information to the public, if they believe that information should be in the public domain. They do this by abusing their access to sensitive information and moving or copying that information.
Again, the way to detect this kind of behavior is through proactive and continuous user behavior analytics.
The Phishing victim: We have seen a rise in phishing attacks that corresponds with the rise in remote working. Employees need to be extra vigilant but unfortunately some do fall victim to the more sophisticated attacks. An employee of yours might click on a link from an email that looks as though it was sent from the IT department or from their CEO. This might lead to attackers gaining access to sensitive information and exfiltrating it for whatever purpose they wish.
The way to handle this is to make sure employees are aware of the threats that are out there and also to continuously monitor user access to and interactions with sensitive data.
The Cost of an Insider Threat
Insider threats are one of the most common causes of data breaches worldwide, and they can often lead to the most expensive data breaches. The actual cost of the breach depends on the type of insider threat.
Research conducted by the Ponemon Institute suggests that an insider threat originating from a negligent employee costs, on average, $283,281 per incident. If the incident involves an insider intentionally stealing data, that cost rises to $648,845.
The cost of insider threats in general rises depending on the size and sector of your organization. Larger organizations with over 75,000 people spent on average $2,081 million on recovering from an insider threat. Organizations in the financial services, energy, and utilities, industrial and manufacturing services were all the most affected.
Not something you can afford to ignore!
Tips to Prevent Insider Threats
Due to the nature of an insider threat, they can be almost impossible to completely prevent. An employee with legitimate access to sensitive data may become an insider threat at some point in time.
The Policy of Least Privilege
The best way to minimize your potential attack surface is to operate on a policy of least privilege where users only have access to the data they need to do their job.
Take a step back and look at who really needs to have access to customer information, PII, and trade secrets. Communicate within departments so that when an employee leaves or changes positions that their privileges are revoked or amended accordingly.
Once you have identified who your most privileged users are, you should implement strict authentication controls beyond simple user ID and password combinations to ensure that account is secure. Multi-factor authentication should be standard, and if passwords are a part of that, they should be regularly changed.
Another massive step in preventing insider threats is employee awareness. Make sure you are educating your users as to what a phishing email looks like, the dangers of misplacing files or using public WiFi hotspots and more. Not only will this potentially prevent that individual from becoming an insider threat themselves, it may also enable them to spot other insider threats amongst their colleagues. All too often, colleagues may feel awkward reporting suspicious behavior to the information security team. Make sure you sit down with your employees and ensure they know that there is an open door policy where they can remain anonymous should there be something they wish to report.
Reduce Your Attack Surface
Lastly, as a point of good practice, you should make a point of cleaning up and removing stale accounts, stale data and open shares. This will limit the potential attack surface and make it that much harder for an attacker to gain access.
Tips to Detect Insider Threats
Insider threats are automatically more difficult to detect because they can just look like your employees doing their job as normal. A former employee using their old credentials to log in and copy files and folders they have access to will not raise any alarms. Insider threats like this can often go undetected for years and total up serious damage.
User Behavior Analytics
The best way to detect an insider threat is to monitor user behavior and generate alerts when anomalous activity is spotted. A more sophisticated Data Security Platform will use machine learning to build up a picture of what normal user behavior looks like and can then produce alerts in real time when behavior deviates from this norm. We’re even talking about single point anomalies here.
Some user behavior we should be on the lookout for might include a user copying a file containing sensitive data, a large number of files being moved, modified or copied in a short period of time, or even files containing sensitive data being deleted. When we know what to look for, identifying the signs of insider threats becomes a lot easier.
We should also be on the lookout for any changes to permissions that may result in over-privileged users. These permission changes could lead to users being granted unnecessary access to sensitive data, which only increases your potential attack surface.
How Lepide Helps Detect and Prevent Insider Threats
There are four steps you should take to improve your insider threat detection and prevention. All of these steps can be achieved with Lepide’s award-winning Data Security Platform.
First, you need to know where your sensitive data is. Discovering and classifying sensitive data as it’s created will help you focus your data security efforts on the data that matters most and avoid taking a blanket approach.
Secondly, once you know where this data is, you need to know who has the ability to access it. These are your potential insider threats. These are the people that you need to watch like a hawk. It doesn’t matter if they are a junior admin or the CEO himself, the security team has a responsibility to treat every privileged user as a potential insider threat.
Next, determine what normal user behavior looks like for these employees and set up alerts for when behavior deviates from this norm. This doesn’t necessarily have to be a spike in activity, even a single point anomaly can be a potential data breach.
Lastly, ensure that the environment surrounding your sensitive data is as secure as it can be. Limit the number of open shares (or get rid of open shares completely if you can), clean up stale accounts, and monitor the health of your critical systems to ensure that your environment isn’t putting your data at risk.