Insider threats account for almost a quarter of cybersecurity incidents. Unfortunately, this attack vector easy to overlook since the assumption is that internal users are trustworthy. Understanding insider threats is crucial to having a strong security posture both inside and out.
Types of Insider Threats
An insider threat is one that originates within your organization, so it requires a different kind of security than for most external attacks. Hardening systems against malicious or neglectful insiders is just as important as shrinking your outside attack surface. Some of the same vulnerabilities that would allow an insider to cause damage are usually gaps that an outsider could also leverage after gaining a foothold. Insider threats can range from inadvertently clicking a link in a phishing email to selling confidential data for profit.
An insider could compromise your systems or data for a variety of reasons:
- Displeasure with policies or treatment
- Untrained in cybersecurity best practices
- Bad reasons for taking the job
- Coercion or extortion by a malicious party
- Financial desperation
For many intentional threats, an employee may exhibit unusual behaviors or attitudes. Sudden increased spending or traveling, stark changes in demeanor, and strange working hours might be indicators of an insider threat and are worth looking into. Other indicators may be more technical, such as unusual network traffic or the use of flashdrives for transporting data.
Insider Threat Prevention
Access Control is crucial to internal security, and should be based on the type of user and the type of data. A common implementation of access control is the use of least privilege. The less data a person has access to, the less damage they can do, so it is best to allow access to as little as possible. Access Control also makes it easier to investigate security incidents since the list of suspects can be narrowed down by the data affected.
Other rules of thumb include:
- Clear policies and frequent training: This can reduce the threat of negligence. Employees should know exactly what the security policies are, why they are important, and what the consequences are for noncompliance.
- Employee Satisfaction: If employees are unhappy, they might use their access privileges to try to correct a perceived injustice.
- Accounting: In the “AAA” model (Authorization, Authentication, & Accounting), Accounting refers to logging a user’s activity when they are connected into their organization’s network, web account, or other internal resources. Once you have established a baseline for normal user behavior, compare new activity to it to find anything out of the ordinary.
- Job Rotation/Mandatory Holidays: Have employees rotate jobs or workstations once in a while or go on paid mandatory leave. These types of policies are usually implemented to prevent embezzlement, but they also help deter other malicious behavior.
- Physical Security: Lock cabinets and doors that lead to sensitive data. Even if everyone in the vicinity is cleared to use those resources, keep track of who is accessing them and when.
- Offboarding: When employees leave, all of their access to company data should be removed immediately. This is also a best practice for preventing external attacks that utilize old credentials.
- Two-Party Integrity: Also known as the two-man rule, TPI ensures that sensitive actions can only be performed when two or more authorized people are present.
Responding to Insider Threats
If you think someone might be stealing, selling, or otherwise threatening company data, your next steps will depend on your policies and the nature of the threat. Your first priority is to protect sensitive data. This means containing the threat and ensuring the perpetrator cannot continue their exploit. Even if it is not clear whether they were acting maliciously, it is best to remove their access to avoid any further damage until you can investigate the situation. Take an image of your systems and the suspect’s workstation for forensic analysis, and ensure you have a recent backup to avoid losing any data or evidence.
You will need a way to wipe sensitive data from devices the employee uses for work, as well as tracking and remote locking mechanisms for company-owned devices. These capabilities will save you time and resources in your investigation, and give you peace of mind that the data on those devices will not be compromised further.
Finally, you will need to contend with public exposure. It may be tempting to try to keep the incident quiet, but it is in your best interest to be transparent. Demonstrating integrity in how you handle and report on an incident can help you regain public trust more quickly, and provides the cybersecurity community with a lesson on mitigating similar situations. Take the opportunity to improve your security posture and help others do the same.
ABOUT DRIVESTRIKE
DriveStrike is a security solution that provides Remote Wipe, Geolocation, Remote Lock, and other essential capabilities for protecting your devices and data. Get started with DriveStrike today by starting your free trial, and feel free to contact us if you have any questions. Your security is our priority.