How to Detect and Prevent Insider Threats
When we hear of data breaches and other events that impact organizational security, we typically think of malicious acts perpetrated by individuals from the outside. While it’s true that anonymous hackers and cybercriminals pose a significant security threat, the most daunting risks often come from the inside.
Current and former employees, third-party contractors, remote workers, consultants and temporary workers are just a few examples of individuals who may have access to computer systems, sensitive customer data, intellectual property, trade secrets and financial accounts. If this information falls into the wrong hands, it could have devastating consequences for an organization.
Case in Point: Verelox
Here’s just one example of how an insider with malicious intent can cripple an organization, In June 2017, Verelox, an Internet hosting services provider based in the Netherlands, had to shut down its entire operation for several days. The reason? A disgruntled employee managed to delete virtually all the company’s customer data and wipe out most of its servers.
Insider Threats Are on the Rise
Insider threats are real and pervasive. According to a 2017 survey conducted by Haystax Technologies, 56 percent of security professionals reported that their organization experienced an increase in the number of detected insider threats in the previous year. Seventy-five percent of the respondents also indicated they believed that the cost of breach remediation steps could exceed $500,000.
Also, according to a survey performed by secure file services sharing provider Biscom, Inc., 25 percent of respondents indicated that they “stole” data when leaving an organization, and 85 percent of those individuals stated they didn’t believe it was wrong to do so. Additionally, 95 percent of those who took information with them indicated that the lack of adequate safeguards made it possible, even easy to get away with it.
Thus, it’s safe to say that the combination of motive (financial gain, acquiring knowledge that will assist in future career endeavors, retribution against the organization, etc.) and opportunity (absence of sufficient protections and security protocols) foster an environment where insider threats should be anticipated and even expected.
What Can You Do to Identify the Insider Threats That Impact Your Organization?
There are several red flags to watch for when attempting to detect specific threats within your organization:
- Employees with unmet expectations: Malicious acts are often performed by disgruntled employees whose work-related expectations are not met. Examples include not receiving a promotion or wage increase they believed they had earned or being assigned a job duty they feel doesn’t match their career aspirations. Signs to watch for include conflicts with colleagues or supervisors, declining job performance and poor attendance.
- Unmonitored privileged users: Network administrators and other privileged users typically have the highest level of access to sensitive information in most organizations – which also puts them in the best position to execute a data breach. Failing to monitor these workers leaves an organization highly vulnerable to insider threats – even if they are among the most trusted employees in the company.
- Unsupervised workers: If your workforce consists of a large contingent of remote workers or third-party contractors who work with little or no direct supervision, you face a higher risk of a malicious act, especially if these individuals have unfettered access to your organizational data. In the case of contractors, lax screening practices can increase the threat, especially if you know little about their background.
- Too many users and devices: As organizations grow, they tend to expand the scope of access to data. In too many instances, this leads to an increase in unauthorized users, as well as unmonitored devices. Organizations that don’t limit access to sensitive information to a “need to know” basis are extremely vulnerable to insider threats. Another potential red flag is having a “BYOD” policy where employees can bring their own devices (laptops or tablets) to the office or use them for work-related activities.
As Geoff Webb, vice president of strategy at the software and information technology company Micro Focus points out, “Many organizations struggle to adequately manage who has access to data, even highly sensitive data, mostly because of the complexities of the modern workforce, the role of many outsiders, the rate at which information flows, and the effects of privilege creep over time for long-time employees.”
Unprotected devices: While many organizations follow stringent software security and password protection protocols, they fail to protect the computers. For example, not disabling USB ports and DVD drives gives an open invitation for employees to copy data and take it with them when they leave. Consider whether you really need to have these functions enabled on your company computers.
Insider Threat Prevention Tips
There are several steps your organization can take to reduce your insider threat risk:
- Protect your critical assets: A critical asset is anything of value that if destroyed, altered or rendered inoperable would negatively impact your organization to support its mission-critical functions. These assets can be physical or logical and can include computer systems, facilities, technology and intellectual property. Make these your primary focus when developing a threat prevention plan.
- Perform thorough screening and background checks: Many employees who commit malicious acts against their employers are not first-time offenders. Your applicant screening process should include a comprehensive criminal history check. You should also attempt to determine whether the applicant left a previous employer under “questionable” circumstances. And don’t forget to do the same for third parties such as vendors, contractors and consultants, especially if they have access to sensitive information.
- Implement stringent review procedures for departing employees: Employers should be on high alert when an employee leaves the company, as this is when organizations are typically the most vulnerable to insider threats. When workers submit their resignation, review their performance and activities during the previous 90 days and continue to monitor them until their final day on the job. Look for any telltale signs that they have or are planning to steal data or engage in other malicious acts. Do the same for any workers you’re planning to terminate, especially those who may have an “axe to grind.”
- Develop a targeted incident response plan: While most organizations these days have designed a plan to handle external breaches, they often neglect to develop one for responding to those caused by insiders. A malicious attack perpetrated by an employee can pose an even bigger public relations headache, as it creates the perception that the organization runs a “loose ship” and is failing to police its staff. As with an external plan, an internal response plan should contain elements such as damage control steps and appropriate media relations practices during a crisis.