Insider threats can be malicious or inadvertant, but the consequences can lead to costly brand damage or significant financial losses to your company. Understanding the types of insider threats and corresponding risk indicators can help minimize impact and damage caused by such threats.
First, what are insider threats?
Insider threats can be malicious or inadvertant threats to your organization that come from employees or contractors, who have inside information about your organization’s data, systems and even security practices.
Some employees may be motivated to steal money or merchanise, leak customer personal data to sell for financial gain, or simply to sabotage your company’s reputation, just to name a few.
Insider threats can be costly to your organization’s image, brand and financial bottom line.
The most prominent example is the infamous Eric Snowden story, the National Security Agency (NSA) contractor who stole and leaked classified information from the NSA without authorization. The leaked sensitive documents included information on surveillance and intelligence programs.
In another example, an IT contractor from the Korea Credit Bureau stole 20 million personal data records, to include names, social security numbers and credit cards. He was later arrested. The bureau, and consequently contractor, had access to South Korea’s three largest credit card companies to include KB Kookmin Card, Lotte Card and NH Nonghyup Card. The data was copied to USB and to compound matters, was not encrypted.
In yet another example, a San Francisco IT employee was accused of setting a network sabotage “time bomb” by rigging city computers to shut down during maintenance or power outage.
Accidents also happen. An unfortunate yet more frequent occurence this year is when employees or contractors misconfigure cloud-based systems. Such as when a NICE contractor inadvertantly exposed millions of Verizon customers via a poorly secured Amazon Web Service (AWS) S3 storage system. Just this week, another third party contractor leaked personal data on nearly 50,000 Australian employees, also via unsecured cloud system.
Lost laptops with a treasure trove of un-encrypted data and emails sent to the wrong recipients also qualify as examples of accidents waiting to happen and can easily be avoided.
To help reduce the impact and likelihood of insider threats like these, organizations should take note of these six good safeguards.
1) Data Loss Prevention (DLP) controls
Data Loss Prevention (DLP) is a tool or process used to monitor or restrict sensitive information from leaving your organization or from being accessed by unauthorized sources (also known as “data leakage”). Many DLP commercial solutions, such as those offered by Symantec or McAfee, focus on monitoring and protection of data leakage to include data in motion (e.g., copying unencrypted sensitive data to removable media, through e-mail, via internet web proxies and webmail) and data at endpoints (e.g., data discovery and quarantine of files on insecure systems).
The main objective of DLP is to ensure senstive information, such as credit card numbers, social security numbers or other senstive personal data, is never stored or transmitted unless it is encrypted and stored in secure locations. If you can’t afford DLP software, implement other strong data protections such as whole disk encryption, file encryption such as PGP and others listed in this article.
2) Privileged identities and entitlements
Make sure your organization has identified a limited number of privileged identities (unique users or administrators) with corresponding login accounts designed for system administrator activities. Don’t allow your business users, such as customer service, accounting or other backoffice employees, to login with privileged or system administrator accounts (e.g., Administrator or Root). Limit use of those accounts and leave those accounts to your system administrators whose job it is to maintain your systems.
Limiting the privileges of normal business users to only the minimum required to perform their jobs, or “least privilege,” can help minimize the chance of installing malicious software or ransomware that could compromise your company’s systems or pilfer data.
Be also wary of granting too many entitlements even to your top performers. It is OK to trust your best employees of course, but those users should also be monitored and restricted to only what’s required for his or her job.
3) Security policy awareness
Make sure your organization has documented and published information security policies that your employees and contractors are fully aware of. It is imperative that new employees have acknowledged they have read, understand and sign off on the company’s policies, guidelines and procedures. It is also important that new and existing employees or contractors understand the consequences of not following policies, such as possible termination of employment or third party contract.
Communicate regularly via security awareness training/campaigns. Send out “all employee” email messages to promote good security practices needed to protect sensitive data. Awareness is the responsibility of all employees, not just the security staff or managers of your company.
4) Understand culture of risk
Be aware of different cultures that exist from one organization or company to the other. Not all are the same. For instance, small startups may be much more tolerant to take on risk given they have a lower budget to spend on security or they may have ongoing pressures to quickly launch a new competitive product.
More established enterprises with more mature security and risk programs are most likely more risk averse, as they should have stronger controls in place to monitor and document security issues, risk and compliance in the environment. Employees in those organizations may also be more aware of security policies due to annual compliance training requirements, than smaller companies with less structure in place.
Small or big, partner closely with your business units to foster good security best practices and be their advocate for promoting security safegaurds. Don’t just use the “big stick,” as often times business are trying to do the right thing. Always using scare tactics may foster resentment and an unwillingness to partner with you. They just need experts such as security professionals to lead them in the right direction.
5) Know your risk indicators
There are many risk indicators that can be monitored that raise the likelihood of an insider threat that could damage your company’s brand. For instance, a negative employee performance history, such as history of compliance issues (e.g., time and expense report discrepancies, lower HR performance review) could be a sign to watch out for. Ensure background checks are performed for new employees and make sure exit interviews are completed for departing employees to ensure assets are returned and protected, as well as login accounts are disabled.
Be wary that often times data loss may occur after employees turn in his or her two week notice to leave the company. Monitor for suspicious activities and lockdown potential data exfiltration ports, such as USB/removable media, email, cloud-based file sharing apps, etc.
Additional high risk indicators include but not limited to: elevated system privileges and login activity on higher risk assets (such as customer or financial systems), large amounts of data movement (from the norm), disclosure of sensitive information on social media or sending company email to personal addresses or future employer, to name just a few. High risk assets and users can include financial systems, cloud/SaaS applications used to store senstive company data or your customer database systems, for example.
6) Leadership alignment
Make sure to get leadership and stakeholders engaged in your insider threat program and awareness campaigns to include information security, legal/privacy, HR, business and IT teams. Let your leadership team know what you’re doing or planning to do and ensure all legal and privacy ramifcations are well understood and regulations are followed.
Be also aware of potential impact to operations teams and have ongoing communication campaigns to spread awareness on good data loss prevention safeguards, such as encrypting senstive data and storing data in secure locations, not exposed to the public.
These are just a handful of good safegaurds to include in a good insider threat program.