How To Protect Your Business Against Insider Threats - The Essential Guide
Outside hackers are not the only risk to your company's security. In this post, we go over insider threats, and how to prevent them.
Join the DZone community and get the full member experience.Join For Free
Businesses are increasingly waking up to the insider threats that pose a risk to data and business security.
A recent survey of security professionals conducted by Intel and McAfee found that internal individuals were responsible for 43% of all serious data breaches experienced by their businesses. Of these, just over half (22% of the total) were caused by intentional, malicious actors; the rest (21% of the total) were caused unintentionally. 68% of these breaches were serious enough to have a negative financial impact or require damaging public exposure.
Additionally, the 2015 U.S. State of Cybercrime Survey found that 45% of respondents believed the damage they received from insider attacks was more severe than those that originated outside the organization. Although a data leak caused by an inside threat has much the same effect as an outside hack – information ends up where it shouldn’t, and your business is subject to fines and remediation costs – the result can be worse. The perpetrators often have significant access and the ability and knowledge to do more damage to your business than outside attackers. In the case of employees with a personal grudge, they may also be more motivated.
The other key difference between insider and outside threats comes in how you prepare for and prevent the threat. With almost half of all these threats caused accidentally, training and procedures take on a new importance in protecting your organization. Non-IT roles, such as HR and management, also have a bigger role to play, since the threats are employees and team members within your organization. Sometimes a threat will be averted by an eagle-eyed employee noticing odd behavior, rather than through examining server logs.
What Threats Are You Up Against?
Insider threats cover a broad range of different activities and can come from anyone in your organization. The crimes are not necessarily technologically sophisticated in nature and do not have to come from someone in your IT department: the cleaner who steals a laptop and sells your data can be just as damaging as the disgruntled IT professional who steals data from your servers.
Broadly speaking, malicious attacks will fall into three categories:
- Theft of data – including customer data and intellectual property.
- Acts of sabotage – in which insiders misuse your own IT to hurt your business.
- Fraud – in which your data is modified, changed or stolen for that individual’s own profit – such as in the case of credit card fraud.
Unintentional threats are similarly diverse:
- Losing physical records and equipment – including negligent behavior that results in them being stolen.
- Accidental disclosures – in which information is given to the wrong people, either by email, mail, or personal communication.
- Succumbing to social scams (phishing) – when access or information is gained by an outside individual under false pretenses.
Protecting Your Business Against Insider Threats
Most insider threats are preventable with the right training and procedures. This guide provides essential steps that will help prevent insider attacks in your organization.
1. Establish a Cross-Departmental Team Responsible for Implementing Your Insider Threat Security Policy
Protecting your organization from insider threats goes far beyond your IT team, often requiring information and input from HR, Legal, IT, Data Owners, Security, and Senior Management.
Organizations face two main challenges in this area. The first is the incorrect assumption that your IT team have total responsibility for data security when a cross-departmental effort is far more effective. The second is that many of departments hold information that could be useful for detecting and preventing insider attacks, but that information is stuck in silos and not shared.
The solution is to form a team representing several departments who together share information and take responsibility for updating and implementing your insider threat security policy.
The benefits of such a team are clear. Consider the following example: an employee’s behavior is brought to the attention of HR, who discover that he is under extreme financial hardship and stress due to his spouse’s recent job loss. The employee is in a position that enables them to access credit card information that could be either sold or used fraudulently, so the consequences of an attack are very high. In response, the insider threat team examines their current and past activity to ensure that there is no evidence of wrongdoing.
Without a team sharing information, this risk may not have been uncovered. Of course, proper procedures must be put in place by HR and legal to ensure that confidentiality and privacy are assured – many potential risks will not develop into true threats.
- Break down silos by creating a cross-departmental team responsible for responding to insider threats.
- Your team should ensure compliance with your security policies at all times and in all areas of the business.
- Provide a confidential system that allows whistleblowers to raise concerns.
- Work with HR and legal to protect the privacy and rights of any individuals suspected of being an insider threat.
- Prepare for future data leaks and put that plan into action should a threat materialize.
- Coordinate security training across the organization.
2. Work With HR to Reduce Risk Through Effective Training and Recruitment
Insider threats are unique in that they are (intentionally or not) created by your co-workers. This makes your HR department a very important part of protecting your organization, as they are the team most likely to be informed if someone starts acting out of character or is experiencing personal circumstances that might make them a higher risk to your organization. This unique role played by HR can protect your business through the employee’s complete lifecycle at your business – during the hiring process, through their career, and during the leaving process.
HR’s role begins during the hiring process when they should be using background checks to verify their identity and past employment (including for any competitors, which could increase the risk of corporate espionage), check their credit (money problems could increase the risk of fraudulent behavior), and check any criminal convictions.
Once an employee has been hired, HR provides two main functions relating to data security. The first is to ensure, in conjunction with management and IT, that employees follow the security policy and are strongly encouraged to improve if they fall short. It is important that small breaches and bad habits are not overlooked since this will only encourage employees to continue to flout policy.
The second function is to report on behavior that indicates an increased risk of becoming an insider threat. This behavior may be linked to an employee’s personal circumstances, their attitude towards work, or how they interact with their colleagues.
Finally, HR has an important role to play in coordinating the transition of staff members from employment to post-employment and ensuring their access to secure data is removed. Depending on the circumstances of the employee leaving and the data they have access to, their permissions may need to be removed before the event occurs, to prevent any chance of an act of retribution. It is not uncommon for employees to be escorted by security to ensure the safety of the business.
- Use the unique skills and knowledge of HR to spot and prevent insider threats.
- Use background checks and the interview process to check for possible signs a person may be a risky hire.
- Check local law before conducting background checks – you may be legally obligated to inform the interviewee that you are doing so.
- HR professionals must ensure that security policies are followed and bad habits are discouraged.
- Coordinate with IT to ensure post-employment employees do not pose a risk.
3. Don’t Forget Physical Security
With so much emphasis put on protecting businesses against hacking it can be easy to forget that physical security is just as important for your information security as your firewalls and passwords. The information held on your servers, laptops, tablets, smartphones, and USB drives are all easier to extract with physical access, and physical documents are particularly vulnerable.
Physical security is made harder by the fact that most facilities are designed with functionality in mind, with security rarely being a design priority. Just because someone is employed doesn’t mean they should have physical access to every asset the company owns. Smart cards can provide access security, although as these can be hacked or cloned, they should not be your sole defense. CCTV and a well-trained staff team who know to look out for suspicious behavior will go a long way to preventing physical threats.
- Ensure only appropriate employees have physical access to servers and computers holding valuable data.
- Use CCTV to protect sensitive areas.
- Provide employees with lockable filing cabinets for storing data and IP.
- Discourage employees from taking home unsecured USBs or documents that could be lost or stolen.
4. Consider Threats Across Your Entire Supply Chain
An insider can be anyone who has access to your network or data and isn’t limited to your employees. Businesses are increasingly using contractors and forming close partnerships with other companies, opening whole new avenues for an insider attack. These and other business associates are a growing risk, especially because most will need some level of network access to perform their role adequately.
Businesses must find a balance between quick onboarding and an appropriate level of security to reduce risk. Just as vitally, businesses must maintain a solid offboarding process, removing access to data once it is no longer needed. Many recent insider threats have been caused by former employees or contractors whose access privileges have not been revoked months or even years after they left.
Security should also be a factor when choosing businesses to partner with. How safe are their systems? What safeguards do they have in place? Your security may be tight, but infiltrating a business you partner with may give a malicious individual the opportunity to damage your organization or steal your data.
- Perform background checks and security checks on contractors, consultants, and business partners as you would on your own.
- Put processes in place to ensure secure onboarding and offboarding.
- Non-disclosure and confidentiality agreements will help you start the legal process in the event of a problem and discourage malicious individuals.
- During a merger, perform checks on acquired employees as if they were in your hiring process.
5. Catalog and Risk Assess Your Most Critical Assets
With so many potential threats, securing your organization against insiders can seem like an impossible task, particularly for smaller businesses with fewer resources. Cataloging and risk assessing your critical assets is an essential task for any business and can help smaller ones focus on the biggest risks to their organization.
Your most critical assets are those that if stolen or destroyed would have the biggest negative impact on your business’s ability to carry out essential functions. For most typical businesses, this is customer data or intellectual property such as proprietary software or processes.
- Catalog your critical assets and the people who have access to them.
- Assign a risk level to each one according to how critical it is.
- Assign resources as appropriate to provide the business with the best possible protection (prioritizing if insufficient resources).
- Perform ongoing monitoring of your assets, adjusting risk level as necessary.
- Use your risk assessment to guide future spending on security.
6. Provide Regular Training For Employees
Often when we discuss insider threats, it can make it sound like every employee is a potential threat. While that is theoretically true, the clear majority of employees want your business to succeed and would not dream of hurting the business – although they still might do so accidentally.
Providing high-quality insider threat security training for your employees is one of the best ways to reduce your risk and help employees protect the business they work for. Not only will accidental threats – which make up almost half of all insider threats – be reduced, but you’ll also have your regular employees trained to watch for signs of malicious insiders. Anyone in your organization considering an inside attack may also think twice when they see how serious your business is about protecting its assets.
Although it is unlikely that an employee will witness an insider attack first-hand, they may spot behavior that indicates an increased risk – an employee intentionally flouting security procedures, bragging about the data they could steal, or inappropriately using business resources to their own end.
- Start training employees to spot insider attacks (including accidental ones).
- Educate employees about the financial and legal risks that insider threats pose.
- If resources are slim, prioritize teams with access to your critical assets, such as Finance.
- Create a security culture by beginning training during the onboarding process.
- Establish procedures for anonymous whistle-blowing.
7. Enforce Privileged Account Best Practice
A large proportion of hacks stem from a malicious individual gaining access to a genuinely privileged account, which gives them access to some of your most sensitive information. In the case of an insider attack, that individual either already has their own account and chooses to misuse it, or gains access to a co-worker’s account. When an outsider accesses one of these privileged accounts the attack essentially becomes an inside attack – they are using your own tools and systems to fulfill their own objectives.
The solution to both these cases is the diligent management of your privileged accounts. It is not uncommon for a business to have far more privileged accounts than necessary, many of them of no use. Often executives and other senior personnel are given privileged accounts despite not ever needing them in their daily job. When asked, many businesses may not even be unable to identify all their accounts.
Privilege creep is another serious issue: when a long-term employee picks up more and more privileges as they move around the organization, without losing those that are no longer relevant. Should these employees become malicious, the damage they can do is significant because of their broad access to your systems.
Unless these accounts are identified, controlled, and tracked they could be used at any time to access, steal, or destroy your business’s most critical data.
- Use PAM software to track all your privileged accounts.
- Regularly audit accounts and remove privileges when no longer needed.
- Give new users the least privileges necessary to perform their role.
- Monitor privileged accounts for unusual behavior.
8. Monitor and Compare Behavior Against “Normal”
Insider threats abuse their everyday workplace privileges in ways they shouldn’t and wouldn’t normally if they are just doing their job. By tracking behavior, particularly of digital accounts, and establishing a “normal” pattern, system admins can spot and investigate unusual behavior.
With the right software, this isn’t hard. You can track how each device and user interacts with others, establish a pattern, and then spot anomalies. During a normal period of work a workstation will interact with only a few other devices – domain controller, print server, email server, etc. – and users will be using a select few devices, from specific locations, at quite regular times.
But logging this information is not enough: you need to use it in real-time. By the time you’ve analyzed the data, the individual concerned could have caused significant damage. This is possible with the latest technology, utilizing machine learning to make automatic decisions to block or limit access for users according to circumstance and predefined rules.
For example, a contractor may be automatically blocked from accessing all but the most basic of services when connecting from outside the office, or at a time outside their normal work hours. This granular access management is the best way to maximize both security and usability for your system.
- Use granular access management to govern access to your system.
- Fine-tune access according to individual roles, locations, and more so that unusual behavior is flagged and blocked.
- Track behavior for evidence in legal and disciplinary proceedings.
Published at DZone with permission of Anirban Banerjee. See the original article here.
Opinions expressed by DZone contributors are their own.