#NITAM: Mitigating Non-Malicious Insider Risk

‘Your people are your most important asset’ is a well-worn phrase in the world of business. However, in the wrong environment, employees can also present a substantial cyber-threat to organizations, and evidence suggests this problem has grown significantly since the start of COVID-19.

For example, recent data from Tessian has found there was a 47% rise in the frequency of incidents involving insider threats between 2018 and 2020. These incidents range from malicious data exfiltration to accidental data loss. This trend may be explained by factors such as the shift to remote working, leaving staff less supervised and vulnerable and rising job losses in the crisis, potentially creating feelings of resentment and anger among those affected.

This is why this year’s Insider Threat Awareness Month carries an extra sense of importance. The annual campaign aims to grow awareness and promote reporting to help mitigate insider threats, with this year’s theme focusing on ‘Insider Threat and Cultural Awareness.’ This theme emphasizes that insider threats are often not malicious, with one study by Proofpoint finding that negligent insiders account for 62% of all such incidents.

Terry Storrar, managing director at Leaseweb UK, explained: “The majority of insider security threats are not malicious. Without the right measures in place to protect confidential information, it can be easy for an employee to make a mistake and unintentionally leak sensitive data. This has the potential to cause significant, possibly irreversible, damage.

“Safeguarding data from insider threats has become more complex and more pressing in the last 18 months. Companies faced unprecedented challenges in the early weeks of the first lockdown, with many scrambling to put in place quick-fix home working capabilities and leaving cracks in their security infrastructure. While external threats gain the limelight, it is no less important to secure against insider threats especially with employees no longer behind office walls.”

Amid this landscape, what should organizations implement to mitigate the risk of negligent insider threats?

Phishing Training

Susceptibility to phishing emails is one of the main non-malicious insider threats that organizations face. The number of phishing messages received by employees has surged since the COVID-19 pandemic, with cyber-criminals realizing that remote staff are more likely to click on malicious links as a result of being isolated and potentially more stressed. Therefore, educating staff on spotting phishing emails and encouraging a culture of reporting is more critical than ever.

Gary Cheetham, CISO at Content Guru, said: “New employees are by far the most susceptible to falling for phishing attempts, so attending mandatory training sessions early on is a good way of mitigating risk. We encourage our team to question anything that seems at all suspicious and to go with their gut instinct or ask for advice where needed.”

He added: “For me, the key takeaway for Insider Threat Awareness Month is that regular training on cybersecurity and cyber hygiene is the best way to cultivate a highly secure workforce."

"For me, the key takeaway for Insider Threat Awareness Month is that regular training on cybersecurity and cyber hygiene is the best way to cultivate a highly secure workforce"

Building Zero Trust Architecture

The concept of zero trust is seen as increasingly crucial to all aspects of cybersecurity, and insider threats is no exception. In particular, organizations should limit staff access to their IT systems as much as possible, thereby reducing the chances of sensitive data being leaked accidentally. Michael Carr, head of strategic development at Six Degrees, outlined: “Using role-based access based on principles of least privilege prevents accidental damage and minimizes malicious risk by only giving users access to what they need.”

This process needs to be continuously adapted to account for new starters, changes of roles and leavers across the organization. Kevin Dunne, president at Pathlock, said: “Centralize and automate provisioning and de-provisioning across all resources in the organization, triggered by role and status changes in the organization.”

New technological advances allow this process to be completed automatically, according to Neil Jones, cybersecurity evangelist at Egnyte. “A good first step to prevent ‘data leakage’ is to utilize a data governance platform that leverages machine learning, so that sensitive information is available to the correct organizational users, based on their business ‘need to know,’” he said.

Blocking Risky Data Usage

While access management policies and technologies will prevent many insider data leaks from occurring, there will still be occasions when sensitive data is accessed by unauthorized staff. Organizations must establish plans for such an eventuality. Howard Ting, CEO at Cyberhaven, stated: “A user may be allowed to access sensitive data, but controls need to be in place to ensure it isn’t misused after it has been accessed. For example, an administrator may need to be able to access a customer’s design files to troubleshoot a problem. However, security controls need to remember that those files are sensitive based on the fact that they came from a customer’s data set. Controls should be in place to ensure that data isn’t further spread or shared using any unapproved or risky applications or features.”

Monitoring tools are vital in underpinning such a strategy, allowing IT teams to quickly act when files are accessed by unauthorized personnel. Dunne believes this requires a change in traditional security philosophy to “enable complete visibility into activity and shift emphasis from network-based protection to monitoring within applications themselves.”

Raffael Marty, SVP cybersecurity products at ConnectWise, added: “Visibility is about having line of sight to potential adverse actions. It starts with monitoring devices, but expands to understanding what employees are doing and making sure they are trained on cybersecurity issues like phishing, which is still one of the main initial vectors of attacks.”

Securing the Cloud 

More generally, organizations should be aware of the risks of placing sensitive data in the cloud following surging cloud adoption during the COVID-19 pandemic. Ting explained: “When data’s moved to the cloud, the SaaS or cloud vendor’s internal staff will often have access to customers’ data, creating a larger opportunity for data to be improperly accessed, exposed or otherwise abused. As businesses adopt more cloud-based services, their insider risk can grow exponentially.”

As the crisis continues to abate, organizations must re-evaluate the security posture of new solutions they have rapidly put in place. Anurag Kahol, CTO at Bitglass, advised: “This is where secure access services edge (EDGE) comes into its own. SASE is a comprehensive cloud security platform that delivers on this new way of working. It integrates cloud access security broker (CASB), zero trust network access (ZTNA) and secure web gateway (SWG) technologies into a flexible platform designed to defend data wherever it goes.”

As we approach the end of this year’s Insider Threat Awareness Month, organizations should carefully analyze and recognize it goes far beyond disgruntled employees looking to harm their business. A mix of prevention, through awareness training and privilege access policies, and detection and response will help stop inevitable employee errors leading to damaging data leaks.

What’s Hot on Infosecurity Magazine?