Insider threats are one of the trickiest threats to detect and fight effectively, and are a top concern for businesses of all types, particularly those that house sensitive customer data.
Unlike hackers, insider threats don’t have to write complicated malware to breach your network because they already have legitimate login credentials.
Jayson O’Reilly, director of sales and innovation at DRS, says there are three types of insider threats: careless insiders, malicious insiders and compromised insiders.
“Careless insiders do not deliberately give sensitive company information away, but expose the business through sheer negligence, by losing devices with work information on them, e-mailing information to the wrong person, and ignoring company security policies. They may mean no harm, but they can expose the organisation to breaches and other incidents.”
Malicious insiders are a different story. “Their intention is to deliberately steal data, disrupt the business, cause damage to company systems or reputation, and sometimes to even profit off their actions. These may be disgruntled employees, or they may have some sort of political agenda. Either way, their actions cause major damage.”
Finally, O’Reilly says, a compromised insider is an employee who has had network access login details stolen by outside threat actors, who then use their credentials to steal information. “These are the guys who have unwittingly fallen victim to clever social engineering techniques or phishing.”
Once their details have been compromised, he says attackers can use their logins to gain legitimate access to the network, and will appear for all intents and purposes to be regular users going about their business. “They are particularly dangerous, as security measures can do nothing to prevent them, because their access is legitimate.”
He says the best way to mitigate the insider threat is to strengthen the human weakness, because user attitude can make or break a company’s efforts to protect valuable data.
“Education is the first step in combatting careless or naive behaviour among staff. Once employees understand that their behaviour can expose the company to risk, and pose a massive threat to the business, they should in turn be more cognisant of their actions. Addressing user behaviour through cybersecurity initiatives and information security awareness programmes has proven effective for many businesses. It’s a good start,” adds O’Reilly.
The next thing to do is to apply role-based access. “Employees come and go. They get promoted, leave the business, and new ones join all the time. As this happens, roles and responsibilities change too. It is an onerous task to keep provisioning and then de-provisioning access, which is why some organisations get sloppy and go the all-access route.”
This is a bad idea, as not all employees need access to all folders. “Ensure that roles and responsibilities are clearly defined, which will make the provisioning / de-provisioning process a lot easier, and will help limit access to sensitive data. Also, enforce the principle of least privilege, so that no staff member has access to sensitive information that they don’t need to do their jobs.”
Finally, have a network monitoring tool in place that will continuously scrutinise the network for any signs of anomalous behaviours. “These tools turn your network into a security sensor, by getting data from routers, switches, and firewalls, building a baseline of normal network activity, so that should a host behave in an unusual way, it sets off an alarm. This can help pinpoint activity that is usually a sign of an insider threat – such as an individual who suddenly accesses and collects a lot of data from a sensitive server – that they don’t need.”
It also helps show when credentials have been compromised, because an 8-to-5 user will suddenly become active at the strangest hours, or start transferring information to strange countries abroad. “These tools help root out these individuals, giving the security team the opportunity to act, and stop sensitive data from leaving the business,” O’Reilly concludes.