What are insider threats?What is a security threat caused by insiders? It is true that cyber security threats, such as malware attacks, hacking, denial-of-service attacks and ransomware, are much more frequent than insider attacks. It is true until you look deeper, that is. While insider threats in cyber security are often associated with malicious users, in truth, employees are inadvertently causing corporate data breaches and leaks daily Loss of credentials due to phishing, theft, or even carelessness invites malware into the system when an employee clicks on a link in a spam email or unknowingly brings an infected device to work. This doesn't include honest mistakes like sending sensitive files to the wrong address. All of these are only a small list of ways in which your own employees can inadvertently compromise your data and cost your company tons of money. Here is the fact: when you combine the incidents involving malicious and inadvertent insiders, you will see that they are dwarfing any other computer security threat that your company faces. Among 874 incidents, as reported by companies to the Ponemon Institute for its recent 2016 Cost of Insider Threats Study, 568 were caused by employee or contractor negligence; 85 by outsiders using stolen credentials; and 191 by malicious employees and criminals. But why should we lump all those incidents together? Because regardless of whether they are malicious or not, the action was taken by an employee or a person with legitimate access located inside of the company network – that is, where security is much more relaxed than on the perimeter. Fortunately, there are specific strategies and tools to deal with those incidents but before we talk about those, let’s look into how dangerous information security threat caused by insiders really can be and why.
The danger of insider threatsHere’s another fact for you: insider threats are the cause of the biggest security breaches out there, and they are very costly to remediate. According to a 2017 Insider Threat Report, 53 percent of companies estimate remediation costs of $100,000 and more, with 12 percent estimating a cost of more than $1 million. The same report suggests that 74 percent of companies feel that they are vulnerable to insider threats, with seven percent reporting extreme vulnerability. So, why are insider threats so costly to remediate and so hard to deal with? There are several reasons:
- Insider threats can go undetected for years – The longer you take to detect a breach or a leak, the more remediation costs go up. Insider threats can be very tough to detect, which is why they are the most expensive to remediate.
- It is hard to distinguish harmful actions from regular work – This is why insider threats are so hard to detect. When an employee is working with sensitive data, it is almost impossible to know whether they are doing something malicious or not.
- It is easy for employees to cover their actions – While it’s hard to detect malicious actions when they happen, it can be almost impossible to detect them post-factum. Any tech-savvy employee will know how to clean up after themselves by editing or deleting logs to conceal malicious action.
- It is hard to prove guilt – Even if you do manage to detect malicious actions, employees can simply claim that they made a mistake and get away with it. It is almost impossible to prove guilt in such cases.
The cause of insider threatsOkay, insider threats are dangerous. We established that, but what’s causing them? Who are those insiders that we should be on the lookout for? While any employee can cause a data misuse or leak by mistake, the three groups that you should give the most attention to are:
- Privileged users – These are usually the most trusted users in a company but they also have the most opportunities to misuse your data, both intentionally and unintentionally.
- Third parties – Remote employees, subcontractors, third-party vendors and partners all usually have access to your system. Since you know nothing about the security of their systems and often even about the very people accessing your data, you should treat them as a security risk.
- Terminated employees – Similar to the case mentioned at the beginning of this article, employees can take data with them when terminated. Even more importantly, sometimes they can access your data even after termination, either via malware or backdoors or by retaining their access because nobody bothered to disable it.
- Acting on opportunity – An employee sees an opportunity to use data for personal gain or to steal it and sell it, and then decides to act on it – such actions are rarely preceded by long-term planning and preparation. They usually happen relatively spontaneously.
- Taking revenge for perceived injustice – Disgruntled employees can steal data or, more often than not, simply leak it online or damage it in order to get back to you for a perceived injustice.
- Making a statement – Sometimes, an employee wants to make a political or social statement and leaks data online or damages it in order to do so. A good example of this is Edward Snowden, who leaked his employer’s data in order to protest government surveillance.
- Doing competitors bidding – Corporate espionage is a thing, and even honest trustworthy employees can be approached and offered a deal they would be hard pressed to refuse (which often involves blackmail and/or bribery).
- Seeing themselves as a future competition – Employees may want to start their own competing business and decide to get ahead by using your data. They may steal or alter your client list or even contact clients and offer their services while still at work.
Fighting insider threatsHere’s the deal: fighting insider threats may seem hard and excruciating but it is actually simpler than you think. All it takes is taking the right approach and arming yourself with the right solutions. These are the steps every company should take in order to minimize insider threats: Background checks The most basic thing you can do is to thoroughly research your employees as you hire them. Background checks don't need to be complicated; a simple Google search of their name, a look at their social network profiles, and a call to their previous employers can get you all the info you need. Sure, background checks are not the end-all be-all of fighting insider threats, but they will help you filter out the obvious con artists and risky applicants. Watch employee behavior It is always important to keep an eye on your own employees. If your employees are unhappy, it is a good sign that they may try something. Try to reach out to them and understand why they aren’t happy. If you fix the problem, you may save yourself a lot of troubles and garner their respect and gratitude. Apart from that, look at the changes in employee behavior and their monetary situation. If they suddenly pay out their debts, start traveling more, or simply start to stay at work late or come at odd hours, chances are there is something fishy going on. You should check it out. Use the principle of least privilege The fewer privileged employees you have, the easier it is to protect your data. Not only does it mean that fewer employees can conduct malicious actions; it also means that there are fewer accounts to be hacked and fewer people to make mistakes. To limit the number of privileged users, you should use the principle of the least privilege if you aren’t using it already. This is a cyber security standard that dictates that each new account in the organization be created with the least number of privileges possible. The level of privilege is then escalated if necessary. This also applies to third-parties accessing your data. Make sure that they have the least amount of privileges possible and that their credentials are terminated when their work is complete. A good solution for third-parties is to grant them temporary credentials, which eliminates the need to manually manage each and every account. Control user access Strong account protection can defend against both outsider and insider threats alike. There are several rules when it comes to protecting your accounts:
- Your employees should use unique complex passwords that shouldn’t be shared with any other accounts.
- Prohibit credential sharing between employees and limit the use of shared accounts as much as possible. While sometimes shared accounts are necessary (such as a shared admin account), you should use additional authentication methods to distinguish between such users.
- Use two-factor authentication. Seriously, most definitely use it. It protects your accounts by requiring a user to employ a security token or an additional device to complete authorization. There are a tons of enterprise-level two-factor authentication solutions out there available for free. Plus, they are very easy to set up and get running.
ConclusionAs a closing word, it’s worth the time to reiterate that insider threats are one of the top cyber security threats and a force to be reckoned with. Every company will face insider-related breach sooner or later regardless of whether it will be caused by a malicious action or an honest mistake. And it’s much better to put the necessary security measures now than to spend millions of dollars later.