Are all insiders malicious? What are the most common mistakes when dealing with the insider? Answering those questions and more, Digital Guardian’s Thomas Fischer tackles the insider threat in CBR’s Tech Express.
EB: What are the different kinds of insider threat?
TF: An insider threat is most simply defined as a security threat originating from within an organisation. It’s often associated with an employee of the organisation, either present or former. It also extends to anyone who has access confidential company information, like contractors and third-party entities.
Insider threats occur for a variety of reasons. In some cases, individuals abuse their access to sensitive information for personal or financial gain; others are ethically or morally motivated. A less well-known insider threat is the “reluctant” insider; this refers to an external attacker who has gained legitimate access to an organisation by compromising an internal employee or third party account. The insider is “reluctant” because they themselves are not involved in the crime, other than by having their credentials used by the attacker.
EB: Are all insiders malicious?
TF: No. Reluctant insiders pose a threat to their company without even realising it, often through accidental or careless behaviour. A reluctant insider could take the form of an employee or contractor who brings his own device to work, logs onto an insecure Wi-Fi at a coffee shop, and immediately becomes vulnerable to an attack. It could also be someone who opens an attachment on a phishing email, or has their login details compromised in some other password leak. The reluctant insider term also extends to include the employee who leaves his USB stick on a train, leading to a leak of potentially sensitive corporate data.
EB: What is the most dangerous or hard to defend against insider threats?
TF: Attacks that compromise administrator accounts are particularly dangerous, regardless of whether an outsider has taken over the account or an administrator has gone rogue. This is because administrators have a number of access privileges that can be used to leak confidential data or steal usernames and passwords.
A new threat is also arising as millennial employees enter the workforce with a strong knowledge of technology. Some cause havoc within their perspective companies for the above reasons or just “because they can”, potentially using their prowess to spy on other employees or management.
EB: What are the most common mistakes when dealing with insider threats?
TF: Sometimes the biggest mistake can be the company culture. Creating an environment built on trust is essential. This will not only place workers in a productive and collaborative atmosphere, but might even prevent an employee from acting against the company in the first place. That said, employees must be aware that the organisation reserves the right to monitor all activity on corporate networks and company equipment. Implementing a careful Acceptable Use Policy that clearly outlines what is acceptable is essential. With an agreement in place, there can be no mistaking what the rules are, nurturing an atmosphere of accountability.
EB: How does the insider stack up against other cyber threats? Is it more dangerous, overlooked, underestimated etc.
TF: If we are to believe reports from the likes of Verizon, employees directly account for around 20% of breaches. However, if you consider that the majority of external attacks target internal employees, one could argue that intentional and unintentionally employees account for close to 80% of attacks. In terms of the financial threat, a 2016 Ponemon study found that the average losses due to insider attacks exceeds $4m per year.
EB: What best practices can you share when dealing with the insider threat?
TF: Insider threats are almost always preventable if the right people management processes and tools are in place. This is the case even in a reluctant insider situation. When it comes to tools and technologies, small investments can go a long way. Deploying data-aware cyber security solutions removes the risks around a reluctant insider threat because even if a hacker has legitimate access to data, they are prevented from copying, moving or deleting it. The issue is that companies continue to spend millions on blocking technologies that simply do not do the full job. What’s important is to be able to detect malicious or suspicious activity.
Raising user awareness is also important when dealing with the insider threat, and it’s not just up to the IT department. It is the responsibility of every business leader from the CEO to the HR and legal department to train employees, teaching them to look out for suspicious emails and understand the importance of data protection.