Mitigating Insider threats should be priority for organizations
Insider Threats are tricky because they represent a demographic that is largely trusted; employees have gone through the HR process; they have been interviewed by managers and colleagues etc; and if to be engaged in work in support of the government, have obtained some level of clearance for access to classified information, networks, and systems.
Data leakage, data and network destruction, disruption, and manipulation are all possible alternatives depending on the level of malicious intent. Given the recent events involving the use of ransomware to encrypt hospital networks, it’s easy to see how direct access to networks could enable hostile insiders to inserting this type of malware into a network and holding it for considerable ransom.
Insider threats are the cause of approximately one-third of security incidents experienced. The majority of these insider incidents resulted in private information unintentionally exposed; confidential records compromised or stolen; customer records compromised or stolen; and employee records compromised or stolen. These findings are echoed in the Verizon Data Breach Investigations Report that found that 50% of all security incidents were caused by individuals inside the organization.
Developing a formalized insider threat program is becoming essential for all organizations seeking to reduce their risk exposure. Specific technologies and analytics can also help proactively identify this threat before it escalates to a serious issue. Since there is no easy, one-stop shop solution to combat insider threats, layered approaches often provide the best way forward.
Technology that monitors user behavior.
A key supporting element to monitoring technology is first establishing what a “normal” baseline is for all of the users in the environment. Once this is established monitoring for anomalies provides a first “heads up” that potential malicious behavior may be occurring.
Technology that restricts access.
Authorizing people only for those network resources required to do their job will help decrease potential data leakage by other parties. The implementation of stronger user restrictions will require individual users to request access to areas to which they may not have been privy. This will help organizations keep track of those that have regular access and those that have limited or temporary access.
Technology for restricting/monitoring removable media use.
Removable media was the vehicle that facilitated the theft of classified information by both Manning and Snowden. While it is more favorable for organizations to “turn off” removable media capability, job requirements may make this unfeasible. An alternative is to use technology solutions to monitor download activity, which can help identify questionable activities from employees such as volume, duration, and the time at which it occurs.
Technology for whitelisting.
Whitelisting is a way of ensuring that only those applications and services that are authorized run on an endpoint system. If unrecognized code tries to run, it is immediately checked against the whitelist.
A report, Managing Insider Risk through Training & Culture, notes that although organizations acknowledge insider risk continues to be a significant challenge on the cyber security front, employees are not being provided the necessary training to do their parts to help reduce risks.
Survey results show that 66% of respondents report feeling that employees are the weakest link in the security chain, while 55% of respondents indicate their organization had suffered a security incident or data breach as the result of negligent or malicious end-user behaviors.
- Only 35% of respondents say their senior executives have made end-user security awareness and training a priority;
- 60% report their employees are not knowledgeable or have no knowledge of the company’s security risks; and
- Less than half, 49%, indicate they teach employees about phishing and social engineering attacks.
- Related: Cyber security awareness training critical for businesses, data breaches changing online behaviors
That being the case, organizations need to enhance their approach to cyber security education. “End-users can be a valuable resource. Not only can employees help block external attacks, they can also be eyes and ears on the inside, helping to identify negligent behaviors and potential malicious internal actors,” the statement notes.