#HowTo Combat the Insider Threat

Written by

Insider threats pose a huge risk to business security, be it employees, both present and past, or freelancers and contractors. These users have an elevated level of access to privileged accounts and are armed with information capable of crippling a business.
The potential damages a business can suffer from malicious insiders became a harsh reality for Tesla CEO Elon Musk last year, following a disgruntled employee who conducted an "extensive and damaging sabotage" to the company's operations when they exported large amounts of highly sensitive data to unknown third parties.

However, when we think of insider threats, we often imagine disgruntled employees seeking revenge on their former employers’ business, such as the Tesla incident. In reality, a vast majority of these threats are most often caused by honest mistakes such as clicking on malicious links or opening phishing emails.

Either way, insider threats can be very difficult to detect, and pose a threat that businesses struggle to address. In fact, in our Privileged Access Threat Report from this year, we revealed that two-thirds of IT professionals believe their organization has likely had either a direct or indirect breach due to employee access in the last 12 months, with 58% treating the threat of misused or abused insider access as critical. 

So how can organizations ensure they’re effectively protecting themselves to address this risk? Here are my top tips on combating the insider threat.

Control or eradicate email attachments and links - Emails are the primary attack vectors in use today, and while a message in itself may not be dangerous, links and attachments are. Today’s security product vendors are offering real-time malware assessment of links and attachments and will quarantine a suspicious attachment and prevent connecting to a dangerous link.

Properly manage and control access to data and critical systems - Role-based permission, removal of administrator access, and the principle of least privilege are your friends. Work with your HR team and line of business managers to understand user roles and the types of application and data access they need to do their jobs. Then, assign only that access level and no more. Take advantage of Identity Governance and PAM solutions to effectively manage role-based permissions for onboarding, role changes and offboarding and removing access when employees leave the business.

Know where your data is - An important counterpart to my second tip is knowing where mission-critical and sensitive data resides in the system so that you can lock it down with appropriate permissions. If you don’t know where it is, how can you protect it with the right level of access?

Monitor employee behavior and look for anomalies - This can be done at many levels, including action monitoring software. It’s not intrusive to look for excessive data dumps or repeated attempts to look at files or directories that are not permitted, it’s good business.

It also makes sense to educate employees to be on the lookout for behavioral changes in their colleagues, for example: What are the signs of financial or emotional distress that could lead to an attack on company systems?

Organizations need to look for simple indicators of compromise such as a large volume of data being copied or modified or even additional accounts being created without following a documented process.

Raise security awareness - Finally, there is the need for ongoing security awareness training that is an integral part of company culture and not an afterthought or a “checklist” item. A company that partners with employees to ensure security awareness will do better than one that forces compliance or just performs training to check a box.

However, the challenge of mitigating insider threats is that most organizations don’t have fully integrated privileged access management (PAM) tools.

I’ll leave you with this important point. While evaluating attack vectors, researching competitors and gauging the threat from organized crime or foreign adversaries, it’s easy to conclude that external attacks should be the primary focus of defense. This conclusion can often be wrong. The critical element is not the source of a threat, but its potential for damage.

By evaluating threats from this perspective, it becomes obvious that although most attacks might come from outside the organization, the most serious damage is done with help from the inside.

What’s hot on Infosecurity Magazine?