Insider threats are real and one of the most fundamentally difficult security challenges of the modern age.
The inside threat comes from three categories:
– Malicious insiders, who deliberately steal information or cause damage;
– Exploited insiders, who may be "tricked" by external parties into providing data or passwords they shouldn’t;
– Careless insiders, who may simply press the wrong key, accidentally delete or modify critical information or lose devices with sensitive information.
With an increased focus on high-profile security breaches in the press, organisations have started to pay more attention to what is happening with those employees and partners (yes, partners) considered on the "inside." As more data is stored online and cyber criminals use increasingly sophisticated tactics, organisations need to focus on security fundamentals, training their employees, profiling behaviour and evaluating risk, and responding to suspicious activities. To better protect itself from an insider breach, an organization must take a proactive, rather than reactive, approach to insider threats.
1. Apply security fundamentals
Managing identities, access, and data can also help organisations find the right balance between enablement — and the sharing of sensitive data — and the controls needed to reduce the risks of insider security breaches. Organisations can reduce the risk of all three types of insider threats by enabling accountability, implementing least privilege access, and controlling sensitive data.
While security fundamentals must apply to all users, a good start is to apply the concept of "least privilege" to privileged IT administrator accounts.
Many controls can be applied to secure privileged identities and help restrict even administrators to only the essential capabilities and access they require for their jobs. These include shared account password management, post-login access controls, identity management and governance, and advanced authentication. These actions allow a solid security foundation to be established for not only physical, but also cloud environments.
Content from our partners
2. Implement Effective Training Programs
While advanced technology is a crucial step to establishing a good security posture, it forms only a part of an effective security strategy when protecting against insider threats. Regularly training employees will help keep them up to date with the new security tools and processes, make sure they are aware of the latest cyber threats, and remind them of good security best practices. A good security training programme should start when an employee joins the company as part of their on-boarding process and be reinforced through frequent refresher courses.
The programme also needs to include all staff levels. While managers and directors may be the only ones directly dealing with sensitive information, it is just as important for an intern to understand and recognize social engineering and phishing attacks as it is for a CEO.
Somewhat ironically, IT and security administrators are also a critical audience for security training. While many administrators have a good understanding of security concepts, they are also used to significant – and often excessive – privileges. When new security processes and tools are put into place, it is essential that administrators support the changes instead of finding workarounds.
3. Profile user behaviour and evaluate risk
An attacker’s behaviour is, nearly by definition, abnormal. All significant actions, such as logins and requests for access to sensitive data should be evaluated. This can involve establishing a baseline for each user that captures the time and types of actions he or she typically performs, from where he or she performs them and using which device. With a baseline established, a risk-aware security solution can evaluate every user request and assign a risk score.
That risk score can be used to determine whether to allow or deny a user action. Whether an external attacker compromises an account or an insider decides to take malicious action, unusual behaviour can be dynamically identified and action can be taken.
Behavioural, contextual and content-aware security exists today, but putting all the pieces together into a single, cohesive solution is truly the next frontier for the security industry.
4. Respond immediately to suspicious behaviour
While organisations need to take a more proactive approach to security in order to protect themselves before a breach occurs, how an organisation reacts to an incident that has already happened is just as critical. Although a proactive approach should lessen the risk of insider threats, given enough time, an attack will be successful.
As soon as anything suspicious is noticed, IT administrators need to immediately take action. Whether it means alerting employees to a series of phishing emails targeting the company or blocking an employee’s account that starts making unusual file transfers, quick and responsive approaches will mitigate the damage of a successful attack.
Trust is essential
All of these points cannot be enforced without trust – a fundamental aspect of any security strategy. Trust is an essential element to operating any type of organisation, although that does not mean it should be freely given. In many enterprises, employees need access to sensitive data and critical systems in order to do their job, and a level of trust has to be associated with that access.
Understanding and managing that trust is the most critical — and difficult — challenge of dealing with insider threats. Adoption of appropriate security controls, monitoring capabilities and security analytics will help enterprises manage trust while significantly reducing their exposure to the risk of insider threats.
