Insider threats are very real…but the most worrisome ones aren’t necessarily what you think they are. The fact is, the majority of inside breaches aren’t caused by malicious users, but by employee negligence. Therefore, effectively protecting against insider threats means that you first need to understand who these “insiders” really are.
Understanding the “Threat from Within”
While there are certainly those malicious insiders who knowingly set out to steal company data, not all data breaches can be attributed to a shadowy, hoodie-wearing figure lurking around the building after-hours.
Quite the contrary, a 2016 Costs of Insider Threats Report conducted by the Ponemon Institute found that 68% of security insider incidents were the result of employee or contractor negligence. By comparison, only about 22% of incidents were actually attributed to malicious insiders and another 10% to credential theft.
So you can see why it’s important to face the facts that careless, naïve or reckless employees are just as big – or even bigger – a threat as are those who intentionally set out to do the company harm.
Below we’ll talk about 4 main categories of insider threats: Malicious Users, Negligent Users, Exploited Users and External Insiders.
These are your disgruntled employees, or those who are motivated by financial gain. Oftentimes, they have full access to sensitive corporate data, and don’t actually need to bypass any security measures in order to steal it.
The motivation behind a true malicious insider attack will generally fall into one of these categories:
- Anger – they feel as they have been wronged and are exacting their revenge
- Financial – they may have large debts and are out of options or just see an opportunity for financial gain
- Hacktivism – they are motivated by political or religious beliefs or some other need to make a statement
- Outside influence – their actions have been coerced by a crime ring or nation-state
It can be very difficult to predict this type of behavior, but there are some red flags that can help to signal an employee that is considering going rogue or already up to no good.
Use of anonymous web browsers and anonymous VPN’s.
This can signal an effort not to leave a digital footprint, or to cover one's tracks.
An employee who is researching security bypass tools.
While there is the remote possibility that an employee doing this type of research is looking to bypass security in order to use their favorite productivity application, chances are even better that it’s not the reason. And even if that is the case, this type of activity can still create unintended security risks.
Use of personal email accounts.
This one is a bit tricky since many, many employees wisely conduct their personal business using personal email accounts, and would never even consider using it maliciously. But it cannot be ignored that sometimes these accounts are used to send data outside of the secure, corporate network.
Use of inappropriate websites.
There is no denying that the internet can be as much of a distraction as a productivity tool. Online shopping, social media postings and other non-work-related internet searches are likely a challenge for most businesses. But if that activity crosses a line into inappropriate or illegal sites such as gambling or pornography, it’s at the very least a general indicator of negligence. At worst, it can signal other financial problems (due to gambling debts) or an overall level of risky behavior that should be treated seriously. More than likely, security measures need to be circumvented in order to access these types of sites, which is a problem unto itself.
Employees who are on their way out.
Even under the best of circumstances, employees who are leaving the company will present a slight risk.
It’s important that you are aware of what access they have, and that when they leave for good, that access is deactivated. Too often, employees who are long gone from a company still have access simply because no one is managing users correctly.
According to a 2015 Intermedia survey, 28% of respondents said that they accessed systems that belonged to their previous employers, after they left the company. And 23% of those same respondents admitted that they would take data from their company if it would benefit them.
Uncovering an attempt to steal data by a malicious user can be difficult. But many times there are behavioral signs ahead of time, such as poor performance, drastic changes in demeanor, or even altercations with other employees. A general awareness of these types of issues and the potential consequences can help as well.
Preventing intentional data theft is required, but so is preventing mistakes that lead to data theft. They may be accidental, but the consequences of unintentional errors are no less severe.
There are many ways that your users can accidentally create a data incident, but some of the most common include:
- Sharing their user credentials with others
- Leaving credentials out in the open – either stuck to the bottom of the monitor or laying on the top of a desk drawer
- Use of weak passwords
- Using the same password for every single account
- Installing apps on their work computer without consulting IT - especially dangerous if they are pirated
- Saving confidential company files to personal cloud storage apps
- Using personal storage devices to transfer files to/from a work computer
- Failing to install or accept software or application updates that include security patches
- Accessing personal webmail services from a work computer
- Clicking on a malicious link or attachment in a phishing email
- A lack of knowledge about phishing emails and the dangers they pose
- Having a general lack of understanding or disregard for basic security measures
All of these actions represent poor security practices, and therefore put your data - and your business - at risk. It only takes one bad click to take down your network...and that network is only as strong as your weakest link.
In some cases, your end-users end up being exploited by hackers. This is most commonly the result of falling prey to a phishing or spear phishing email, or by clicking on a malicious link on a spoofed website.
This is not a malicious action on the part of your end-user, and even educated end-users are sometimes fooled by these sophisticated attacks. But all the same it does result in the attacker gaining access to their machine and most likely your entire network.
While the attacker may not be an insider, they gained access by targeting and victimizing one and therefore this is still consider an insider attack.
We discuss ways to mitigate these risks at the conclusion of this article, but it’s worth noting here that employee education and ongoing security training are your best defense against phishing attacks and other social engineering tactics.
These are the contract employees, vendors, seasonal staff, consultants and auditors, among others, who are granted access to your network remotely.
And just like employees, these external users can just as easily be targeted to become exploited users, they can make simple mistakes that create issues just as a negligent user does, and they can become malicious users who intentionally set out to steal from you or otherwise inflict damage.
Knowing this, hackers will often look to target and exploit third-party vendors in order to gain access to the network that they are really after.
The highly publicized breach of the Office of Personnel Management (OPM) network was in fact the result of a successful attack against a third-party U.S. Government contractor. After gaining access to the “external insider” they went on to breach the OPM network and steal over 21 million personnel records with sensitive information.
Managing the Insider Threats
So how can you manage these risks?
While there is no guaranteed method of discovery when you are dealing with human beings, the best place to start is by acknowledging that the people who work for you are your biggest security threats. As discussed above, that’s for reasons both intentional and unintentional.
Most of your employees are just trying to do their jobs, but in doing so they sometimes cut corners that create these incidents. Or they just aren’t even aware of the risks to begin with. If the leadership team at your company portrays an attitude of “that will never happen to us”, then it’s only natural that the rest of the team will follow suit in dismissing security threats as unimportant or irrelevant.
With that in mind, perhaps the most important thing that can be said about these threats is that they can happen to you too. Acknowledging them goes a long way towards recognizing them and of course taking steps to protect yourself against them.
Beyond that, there are some important best practices that you should follow when it comes to network administration and your overall network security strategy. These include:
Follow the principle of least privilege.
Not every employee needs access at the highest level. In fact, the fewer who do, the more secure you are. Under the principle of least privilege, each account within your organization will be created with the least number of privileges possible. Over time, these privileges can be increased as necessary, but only with approval and proper documentation.
In this way, a user who gets hacked but has only low level privileges won’t lead directly to administrative-level control by an attacker.
Don’t forget that this applies to third-party vendors as well. If possible, grant them temporary access that will expire at a set date.
And for all users, any access should be terminated immediately when the work is complete or they are no longer employed by you.
By limiting administrative access, you limit the number of accounts that can be hacked, and you better protect your data.
Control user access.
With strong account protection controls in place, you are better able to defend against both insider and outsider threats. In general you should be mandating:
- Complex, alpha-numeric account passwords that have to be updated on a regular basis
- No sharing of credentials between employees
- The use of two-factor authentication to better protect your accounts from unauthorized access
Don’t sacrifice security for the sake of convenience.
It may be more difficult to parse out who gets what access and then manage all users, but just giving everyone access to everything is a major risk. So is not cutting off an employee’s access when they leave the company. Same goes for password management, data encryption and setting up shared file storage.
There is some work and even sometimes some cost involved in properly establishing these tools and procedures, but not doing it the right way is what leads to costly hacks and data loss events.
Keep all software and applications up-to-date.
All workstations should be forced to access security and critical updates, period. If you aren’t pushing updates and/or employees are able to bypass them, you are at a higher risk of an insider becoming an exploited insider due to phishing or spear phishing schemes.
Follow password management best practices.
Make sure that your team is following password best practices, such as using long, strong passwords and not using the same password for every single account. Hacks of weak passwords account for a large number of security breaches, so make sure you aren’t putting yourself at a higher risk just because your team doesn’t feel like creating passwords more difficult than “12345678”.
Educate your employees.
The very best way to minimize errors and negligence by employees it to make them aware of the risks. Explain why certain processes and procedures are in place, and what the consequences are of not following them.
Explain that cybersecurity is every employee’s responsibility and that it’s not just an IT Department responsibility.
Make sure they understand phishing and social engineering and how they are being targeted.
And perhaps most important, make sure they understand how a breach could affect the company and their personal livelihood. If they see that a security incident could severely impact the company’s bottom line, they are much more likely to uphold and champion your security policies.
Create a culture of cyber-awareness.
Don't just treat education as a "one-and-done" event. Instead, focus on information security as a company-wide risk management issue that requires adherence to a well-defined set of SOP's and best practices.
If your IT team is bogged down with other priorities, then work with a reputable IT services provider to offer support for establishing and following network administration best practices, and to support ongoing end-user eduation.
Corsica's managed IT service customers all benefit from our industry-leading network security tools and strategies, including network administration best practices, patch management, managed firewall security solutions, anti-spam and anti-virus that integrates with our monitoring software, end-user education resources and more. With our solutions, you gain an experienced IT partner that will take operational responsibility for your systems and your data and limiting all risks, so you can get back to running your business. To learn more about Corsica's Network Security solutions, click here.
Want more great technology updates, news and other industry information delivered directly to your inbox? Subscribe to the blog and each week you'll get new useful tech news you can use!