Understand ‘normal’ behaviours
Network defences are commonly toppled from the inside, and this kind of threat can be much harder for organisations to detect, according to Stephen Moore, chief security strategist at Exabeam.He said: “One hard truth to accept is that you can’t always trust your citizens – the employees, third parties and machines operating inside your network. “On the one hand, an external adversary could gain access to your system using stolen credentials from one of your trusted insiders. The compromised individual is often unaware that their credentials are being used. “The stolen accounts are used to gain remote access to your company and then move laterally within. This method is incredibly effective because most lack the ability to identify compromised accounts. “In this case, it’s not about an advanced malware or even trying to phish for new credentials, but about using what’s already been authorised by you to harm your company – and the results are ugly. “On the other hand, you may have ‘malicious insiders’ in your network – these are generally employees working for their own benefit. Malicious insiders may be selling your secrets or may have other reasons to cripple your operations. So, it’s important to monitor the accounts of those who have recently left the company.
“Here’s what you need to remember when combatting the insider threat: understand the normal behaviours of everyone that accesses your network. When you know the typical behaviour, you can more easily spot anomalies.“To do this, you need the means to track every activity and pull this together into a single storyline. By storing these details and using tools that can look for suspicious behaviour, you can keep on top of your insiders and quickly detect any dangerous activity.”
Beware the malicious insider and the cloudThe malicious insider is typically a disgruntled employee who looks to steal or leak company data out of greed or even spite, Jan van Vliet, VP and GM EMEA at Digital Guardian, noted.
“Take Tesla – earlier this year, the company suffered a data leak at the hands of a disgruntled employee, who made changes to company source code and exported gigabytes of proprietary data to unknown third parties.“With their knowledge of the network and access to company data, preventing a malicious insider from carrying out data theft can be difficult. However, data-centric security technologies can go a long way in reducing the likelihood of these attacks. “These solutions prevent employees from copying, moving or deleting data unless they have given specific permission or approval to do so. These solutions also redact sensitive data from being sent in an email and will alert the system administrator to any attempts to move sensitive data.” Steve Armstrong, regional director UK, Ireland and South Africa at Bitglass agreed, citing the growing adoption of cloud as greatly improving the agility of many modern businesses. However, it has also given rise to new security concerns, such as the insider threat. He explained: “According to a study by Crowd Research Partners, over 90% of organisations feel vulnerable to insider attacks. Cloud adoption and bring your own device (BYOD) policies have improved businesses’ agility, but have also made sensitive data more accessible, presenting a significant IT security challenge.
“This is clearly demonstrated in the high-profile incidents involving BUPA, Morrisons and Tesla.“Unfortunately, in cloud-based IT environments, organisations often struggle to detect anomalous or careless employee behaviours. As such, many must revise their approaches to data protection. By understanding modern threats and deploying appropriate security solutions, many of these risks can be mitigated and even eliminated.”
Encryption is keyLuke Brown, VP EMEA at WinMagic, argued that to effectively protect against insider threats, whether it’s malicious or simply unplanned user error, sensitive data should only be viewable by authorised personnel. He continued: “Encryption is often (and quite rightly) viewed as the last line of defence when it comes to data security. Authorising only those users who are meant to see the data – giving them the correct encryption keys and appropriate access rights to encrypted files, folders and containers – ensures anyone else is unable to access the data. “But encryption needs a wide purview; data needs to be kept under lock and key no matter where it is – on an endpoint, data-centre or in the cloud. “Users are the one constant, inevitable challenge in securing data, so taking a cross-platform, ubiquitous approach to encryption is the only answer.”
Knowledge is powerAdvanced security technologies go a long way to mitigate the insider threat risk. But, as Steve Wainwright, managing director EMEA at Skillsoft, argues, education is also key in this instance. “Social engineering attacks are a go-to method for hackers,” he said. “They rely on unwitting, unsuspecting and, at times, careless employees. “A recent PositiveTechnologies study found that over one in ten employees fall for this type of attack. Social engineering attacks work by using psychological manipulation. Hackers use information gained on social media or the dark web to build a profile of a person and then pose as someone they might know via email.
“They might then encourage their victim to click on a link or download a file that contains malware.“The key to defending against this type of threat is education. By training employees to question and look out for suspicious emails – for example, checking if the sender email address looks odd and scanning the email for poor grammar and spelling – organisations can reduce the likelihood of successful attacks.
“Giving employees the skills and knowledge they need to identify potential attacks is the best way of mitigating the insider threat risk.”The insider threat continues to be one of the largest problems in cybersecurity, with Ponemon’s latest report finding that the average insider threat incident costs organisations $8.76 million. Guy Fawkes Night should be a reminder for businesses to evaluate the very real risk of the insider threat and take the right steps to prevent sensitive data from being shared.
Share this story