Understanding Insider Threats and Mitigation Techniques
Malicious activity that originates from persons with authorized access to critical assets is considered an insider threat. Harm—measured by a negative impact to availability, confidentiality, or integrity of those critical assets—can be done intentionally or unwittingly by current or past employees, consultants, contractors, or trusted business partners who have physical or logical access. Theft of proprietary information, sabotage of infrastructure, and modification of data to commit fraud are all examples of negative outcomes organizations may experience from an insider threat event.
Insider-generated malicious activity can be extremely expensive and damaging to organizations and often more difficult to detect than external threats. Protocols for monitoring users with legitimate access must strike a balance between privacy, compliance, and protection of critical assets. Insider threat detection may also be difficult for some organizations because the traditional mindset of security resources is to focus on external threats—when the fact is, anyone with legitimate access to critical assets can pose a potential risk.
Not all insider threats are the same. They can be categorized into two main types:
- Intentional — an insider who causes irreparable harm intentionally through malicious acts
- Unintentional — a “careless insider” who becomes compromised and is unaware their credentials may be used by another party to commit damaging acts
Establishing an Effective Insider Threat Program
While not all organizations are legally required to have an insider threat program, building one is a core part of any holistic security strategy. Any organization with critical assets is at risk of having them exploited by an intentional or unintentional insider threat. Three common types of outcomes all organizations face from that behavior are information modification or theft for personal gain, theft of business data to be used by a competitor, and sabotage.
Organizations must be vigilant enough to detect, prevent, and respond to an insider attack by creating an insider threat program to protect their sensitive data from being compromised, intentionally or unintentionally. The first step in building such a program is to start with a risk assessment that clearly identifies an organization’s critical assets and current protection strategies. If your organization already conducts an enterprise risk assessment, partner with the team responsible for that effort. Ensure the assessment considers insider threat challenges and outcomes.
Using Technical Controls for Risk Management
Organizations should consider technical controls that align with their critical asset protection strategies. Fortunately, there are numerous tools on the market to manage access, detect suspicious activity, and limit the exfiltration of data. Identifying the right governance, monitoring, audit, and data loss prevention (DLP) tools can be challenging but completing a comprehensive requirements development exercise will help narrow the field. Many organizations already have enterprise-level tools for managing access and monitoring activity, so determining if existing platforms can be expanded to address insider risks is recommended.
Employing Physical Security Measures
Sometimes organizations overlook the physical security element of the insider threat. Physical access to an organization’s secure areas or confidential data makes it even easier for a malicious insider to commit a crime. Some strategies used by malicious insiders employ “low-tech” and less detectable exfiltration of data by printing or copying files and removing them from facilities. Building a risk-based approach for granting and revoking physical access and developing behavioral detection strategies are critical.
Understanding Employee Risks
Organizations should have a people-centric plan to mitigate insider threat risks from onboarding to offboarding. Managers need to clearly understand insider threat basics and be vigilant in understanding how to identify it. For example, employee behavior and grievances may indicate an increased possibility of a person perpetrating harm against the organization. Failing to ensure that employees comply with basic security protocol such as regularly changing passwords, not downloading suspicious email attachments, and not lending physical credentials to anyone may lead to an unintentional insider threat event.
With insider threat detection software, managers can identify changes in user behavior and detect unauthorized drives or downloads as well as if employees are using compromised networks.
Enhancing Security Awareness Among Employees
A protective culture boosts employees’ confidence that an insider threat mitigation program is supportive rather than intrusive. For example, a core value might be “we work together and guard the company’s resources to protect all the hard work we have done and keep our jobs.” Based on this approach, organizations must take the initiative to promote an environment of accountability and mutual respect, leading to a positive community-focused culture that promotes reporting rather than inadvertently inhibiting it.
While insider threat programs are not required of all organizations, insider threats pose a real threat to many organizations. Consider taking these four steps at a minimum to make your data more secure:
- Identify your critical assets to develop protection strategies.
- Include insider threats as part of your enterprise-level risk assessment.
- Create awareness programs to help identify and mitigate behavioral-driven risks.
- Invest in technical controls to detect and prevent insider threat events.
Insider threat detection capabilities are crucial, as they inform the rest of the insider threat management program. Therefore, organizations should establish a strong internal network and make sure all employees, third parties, and contractors receive consistent security awareness training. Furthermore, in this age of increased work-from-home opportunities, physical security teams must be vigilant to review and analyze requests for additional network or system access and ensure employees are aware of remote work cybersecurity best practices.
Insider threats are an ongoing issue, but organizations are not powerless to combat them. It’s possible to reduce the risk of insider threats by choosing the right industry-leading security solution provider.