What is an Insider Threat?
Insider threats can essentially be defined as security threat that starts from within the organization as opposed to somewhere external. This often takes the form of an employee or someone with access to a privileged user account. Insider threats do not necessarily have to be current employees. Anyone with current access or who once had access to sensitive information can be considered a potential insider threat.
Insider threats can take many forms, from an organized attack on a company’s trade secrets to completely unintentional data leakage. Usually, an insider threat will simply look like one of your employees doing their job.
The sheer volume of sensitive data that passes through your organization means that you’re likely to have a large potential attack surface for insider threats to originate from. Your employees with privileged access will probably have to access and move that data at some point as part of their role. A lot of the time, this data isn’t shared securely, often with employees relying on cloud services or their unsecured email.
If your organization has a large number of users with privileged levels of access, then it’s just a matter of time before an opportunist steals data for personal gain or a negligent employee shares it unwittingly.
Types of Insider Threats
Here are some of the types of insider threats to watch out for:
Disgruntled employees: Employees leaving the business, passed up for a raise or promotion, or anyone feeling disgruntled may look to take that out on the organization itself.
Malicious insider: An employee that looks to actively harm the organization through targeted attacks for any reason.
Negligent Employee: Someone that ignores security awareness training, and best practices and is likely to be the one that falls for that phishing scam.
Whistleblowers: Insiders that believe they are doing the right thing by leaking the intellectual property or business secrets of the organization.
Examples of Insider Threats
We have already spoken about the categories that insider threats generally fall into, now let’s look at some examples of specific insider threats that might occur:
1. Pegasus Airline – June 2022: 23 million files containing sensitive, personal data were exposed online after an employee at Pegasus Airline improperly configured a database. A misconfigured security setting is an example of a negligent employee and, whilst not malicious, is nevertheless a costly security incident. The employee exposed valuable information, including flight charts, navigation materials, and information about the flight crew. To make matters even worse, the misconfigured security setting meant that up to 400 files containing plaintext credentials were exposed.
2. NHS – March 2022: Another example of negligent employees, this time falling victim to a prolonged phishing attack. The phishing attack contained a malicious link that masqueraded as a Microsoft 365 login page. A cloud security firm reported that more than 139 NHS emails were compromised in the attack but it’s likely that the true total is much much larger.
3. General Electric – July 2022: A classic example of a malicious insider. This employee managed to steal more than 8,000 sensitive files over the course of 8 years, by convincing an IT administrator to grant him access. The information he stole was sold off to a rival company. The insider in question was subsequently arrested and sentenced to 87 months in prison.
4. Georgia-Pacific – February 2022: Last but not least, a disgruntled former employee, made redundant from his system administrator job at a paper manufacturer, managed to cause $1.1 million worth of damages by tampering with security controls. He accessed the security controls through a VPN using credentials that remained valid even after he had left the organization.
How do Insider Threats Happen?
One could argue that most data breaches are, in some way or another, caused by employees, and the vague definition of what constitutes an “insider threat” is one of the reasons why the statistics can vary so much. Statistics aside, there are a number of ways that employees are putting our valuable data at risk. For example, employees often use weak passwords, send sensitive data to the wrong recipients, share login credentials, and fall victim to phishing scams. And it’s not just regular employees who make mistakes. IT security staff members often fail to keep their systems patched/updated, implement the correct access controls, and properly configure the necessary security settings. Data breaches that occur as a result of erroneous employees are typically the consequence of three main factors:
Unauthorized use of applications: Employees have been known to violate company policies by using their own personal email accounts in the workplace, accessing online banking, making payments online for goods and services, and using unauthorized instant messaging applications.
Misuse of company devices: While some employees violate security policies to enable them to get their work done, other employees do it for less valid reasons. For example, some employees have been known to override the security settings on their company-issued devices to download music, pay bills, browse social media sites, and even access gambling websites. Additionally, some have been known to share work devices that contain sensitive data with people outside of the company, or connect their device to a public Wi-Fi hotspot, potentially enabling a hacker to steal credentials and access the data the device has access to.
Unauthorized access to sensitive data: Employees are often granted access to parts of the network that are not necessary for them to carry out their duties. This will inevitably introduce security risks. Should an employee’s account become compromised, for whatever reason, the hacker can do more damage if their account privileges are not properly restricted.
5 Insider Threat Myths
There still seems to be a lot of confusion about what an insider threat is, how they are caused, who it is caused by, and the steps required to minimize the damage it can cause. Below are 5 common myths surrounding insider threats.
Myth #1: Insider Threats are Always Malicious and Harmful
According to the following report, 36% of insider threats are the result of “ignorant or careless user actions”. Should a careless employee accidentally leak sensitive information it could have serious ramifications for the organization.
That said, insider threats are typically far less damaging than say, an Advanced Persistent Threat (APT) – a malicious form of insider threat. Even threats that are intentional are not always harmful. For example, should an employee forgets their login details, they might use another employee’s credentials to log on to the system. Though intentional, it is unlikely to result in a data breach.
Myth #2: Ransomware Prevention Tools are Ineffective
Real-time threat detection tools, such as Lepide Data Security Platform, enable companies to detect, alert, report, and respond to changes made to their critical data. They help to maintain “least privilege” access, identify suspicious file and folder activity and unauthorized mailbox access, manage inactive user accounts, and a lot more. Such tools are unquestionably very useful for detecting insider threats; however, technology alone will not protect your company from insider threats. Companies must also:
- Develop and maintain a formalized Insider Threat Program (ITP)
- Carry out thorough background checks on employees, contractors, and third-party’s
- Classify their data so that they can allocate resources more effectively
- Encrypt all sensitive data to minimize the impact should a work device get lost or stolen
- Implement an ongoing security training program directed at employees, managers, stakeholders, and anyone else who handles sensitive data
Myth #3: Threat Detection Tools Alone Will Be Enough
Threat detection tools are not designed to prevent security incidents from happening, but instead provide the tools necessary to detect, alert and respond to incidents in a fast and efficient manner. For example, it’s very difficult to prevent a naïve employee from downloading an email attachment containing malware.
As it currently stands, most sophisticated strains of ransomware are able to bypass traditional anti-virus/malware tools. Of course, companies can block users from accessing their personal email or social media accounts, and restrict the use of flash/external drives, but the most effective strategy for actually preventing such attacks is to educate staff members about security best practices.
Myth #4: Most Insider Threats are Caused by Privileged Users
While the notion that most insider threats come from privileged user accounts is intuitive, it’s actually not true. The reason being is that there are relatively few privileged users compared to non-privileged users, and most privileged users are typically better informed about security best practices. Most threats originate from either employees or third-party contractors.
However, it should be noted that even though privileged users are less likely to compromise the system, the impact of a security incident caused by a privileged user could have far worse ramifications.
Myth #5: Your Security Team Will Be the First to Spot an Insider Threat
According to the following blog post, it is the IT department who are most likely to identify an insider threat, followed by regular employees. The fact is, your security team can only do so much with the resources available to them. Identifying security incidents is everyone’s responsibility.
5 Ways to Protect Data Against Insider Threats
Restrict Access to Systems
You do not want unauthorized individuals accessing your company’s data. Run a review of employee access controls, and revoke privileges for employees that are being given access to data they don’t need. If possible try to limit system access to a physical location, for example granting authorization based on department, floor, or the device being used. Ensure that servers and computers are only accessible to appropriate members of staff, and try to limit remote access capabilities.
Training and Education
Potential vulnerabilities might seem obvious to experienced IT personnel, but many employees will not be aware of common methods employed by cyber criminals, and may not fully understand the threat that misuse and unintentional errors can pose to a company’s assets. Make sure that employees recognize why certain policies are in place, and that they are working on their end to secure their systems and credentials as much as possible. Employees must be strictly warned of opening any suspicious e-mails and guidelines should be in place for noting and reporting any potentially malicious activity.
Effective Security Begins at the Recruitment Stage
Your HR department should be running a thorough background check on new employees before they are hired. Amongst other things, an employee’s identity and employment history should be verified, and companies should be aware of any past criminal convictions, or controversies the individual has been involved in. Part of the induction process should include stressing the importance of data security. The new employee should be well aware of the compliance guidelines in place to ensure that they are in line with company policies.
Good Password Management
Make sure that employees are using complex passwords, that aren’t duplicated across accounts. Two-factor authentication solutions that require a secondary authorization before an authorization is granted will further serve to protect data. Concurrent logins on the same credentials should be prohibited, as it discourages the sharing of passwords and usernames. Passwords should be changed regularly, but make sure nobody is writing theirs down, encourage employees to use mnemonics or other such memory devices to keep their passwords in line. Once employees have left the company, their credentials should be immediately disabled so they are no longer able to access sensitive information.
Monitor and Evaluate
Implementing real-time monitoring solutions, such as Lepide Data Security Platform, into your business will allow you to track changes in the system and log employee activity. Such a system could also alert IT managers of any suspicious spikes in traffic or of unauthorized changes made. Users should also be made aware that their activities are being monitored as this will act as a strong deterrent to any malicious activity, and will encourage policy adherence.
How to Detect Insider Threats
There are four steps you should take to improve your insider threat detection and prevention. All of these steps can be achieved with Lepide’s award-winning Data Security Platform.
- You need to know where your sensitive data is. Discovering and classifying sensitive data as it’s created will help you focus your data security efforts on the data that matters most and avoid taking a blanket approach.
- Once you know where this data is, you need to know who has the ability to access it. These are your potential insider threats. These are the people that you need to watch like a hawk. It doesn’t matter if they are a junior admin or the CEO himself, the security team has a responsibility to treat every privileged user as a potential insider threat.
- Determine what normal user behavior looks like for these employees and set up alerts for when behavior deviates from this norm. This doesn’t necessarily have to be a spike in activity, even a single point anomaly can be a potential data breach.
- Ensure that the environment surrounding your sensitive data is as secure as it can be. Limit the number of open shares (or get rid of open shares completely if you can), clean up stale accounts, and monitor the health of your critical systems to ensure that your environment isn’t putting your data at risk.
The Role of Active Directory and Insider Threats
90% of the world’s enterprise organizations use Active Directory (AD) as their primary method for authentication and authorization, so it makes sense that this would be the first place an attacker would look to compromise. Where else are they going to be able to get their hands on such a myriad of both sensitive company and employee information? If that isn’t enough proof for you that AD is a prime target, Microsoft tells us that 95 million AD accounts are the target of cyber-attacks every day.
As if securing on-premise AD wasn’t complex enough, with the wider adoption of Microsoft 365, the potential attack surface has increased dramatically. Azure Active Directory is used by all Microsoft 365 applications to help authenticate users. To do this, every Office 365 instance requires a separate Azure AD tenant. This piles on yet another complex and threat-prone environment for IT to try and secure. What this means from a security perspective is that any insider threat looking to compromise on-premise AD can have a wide-ranging effect throughout any web-based applications that are leveraging Azure AD.
How Data Security Platforms Help with Insider Threats
Implementing a Data Security Platform that is focused on identity and data security, such as Lepide, can ensure you are focusing on the two most important aspects of insider threats: Active Directory and sensitive data.
Data Security Platforms can help you detect, prevent and respond to insider threats in the following ways:
Discovery and Classification of Sensitive Data
Most Data Security Platforms provide automated data classification tools to help you discover and classify your sensitive data. Such tools will not only make it easier to locate your sensitive data but also set up the necessary access controls to protect it. Recent research we undertook at GITEX in Dubai suggested that over 70% of enterprise organizations have more than 100,000 folders open to every employee. Obviously, having unrestricted access to such large amounts of data is a recipe for disaster.
Enforcing “Least Privilege” Access
Employees should only be granted access to the resources they need to be able to adequately perform their duties. Once access permissions have been set up and assigned, organizations will need to implement a Platform that can detect unauthorized changes made to these permissions. Likewise, Data Security Platforms can detect, alert, report, and respond to any type of suspicious file/folder activity, including unauthorized access to privileged mailbox accounts.
Monitoring and Managing Inactive User Accounts
Inactive user accounts – also referred to as “ghost” accounts – present a major security risk for organizations when they are not managed in a systematic and timely manner. For example, should an employee leave an organization on bad terms, and their account is still active, they may log in to the network in an attempt to copy or delete sensitive data. Most sophisticated platforms can automate the process of managing inactive user accounts.
Monitoring Suspicious Out-Of-Hours Activity
Should you find an employee logging onto your network during times that do not correlate with their typical usage pattern, this may indicate that something suspicious is taking place. A Data Security Platform like Lepide can be set up to monitor typical usage patterns, and fire an alert should this pattern change, for whatever reason.
Preventing the Spread of Ransomware
When a company falls victim to a ransomware attack, it is typically the result of a careless employee who either downloaded an email attachment or clicked on a link to a malicious website, which in turn led to the execution of the ransomware application. While Data Security Platforms are unable to prevent them from doing this, they are able to react in real time when the symptoms of an insider threat or ransomware attack are detected. Lepide can generate any number of pre-defined threat models that have been tailored toward detecting and reacting to critical security threats; enabling companies to lock down an insider threat before any real damage is done.