Living in an increasingly networked world has its advantages, but it also leaves organisations vulnerable to exploitation by malware, inadvertent employee actions and malicious attacks.
Data security breaches can be devastating in terms of cost and reputation so efforts are rightly directed at protecting the perimeter of an organisation’s IT systems from unauthorised intruders. However, the threat that is harder to guard against is within.
A fascinating survey by the SANS Institute confirmed the insider threat is a key concern for security professionals. And yet, of the 770 businesses polled, 32% had no systems in place to protect against insider attacks, around half struggled to estimate the damage from such an attack, while 44% did not know how much they spent on preventing insider threats.
Spotting security incidents arising from within the firm is particularly tricky because the attacker may have legitimate access. If the credentials being inputted are valid, the same alarms are not raised as when an unauthorised user attempts entry from the outside.
There is a line to be drawn between allowing employees or contractors access to the information they need to get the job done, and implementing an effective lock-down of sensitive data. Getting the balance right is not easy, as the recent PWC Economic Crime Report sums up, “Companies continue to make their critical data available to management, employees, vendors, and clients on a multitude of platforms – including high-risk platforms such as mobile devices and the cloud – because the economic and competitive benefits appear so compelling.”
Alongside enabling innovation and productivity, every company has to deal with the insider threat. The truth is, it’s not just an IT matter. While the IT department is central to enabling access to information, they really just provide the tools. It’s down to the C-suite, the managers, HR, Legal and IT to work together to empower and engage employees. Trust is a key factor, because there needs to be an atmosphere in which management can take advice they don’t necessarily want to hear and in which an employee can speak up without fear of reprisal.
In summary, here are the top five ways to protect your organisation from the insider threat.
Conventional screening methods struggle to detect unauthorised use of information that has been accessed “legitimately.” However, the signs of an insider threat are often there before a breach occurs. Behavioural changes should act as a red flag – is the employee accessing data at odd times, e.g. on sick leave or on holiday? Other suspicious activity might include an employee complaining more, being less cooperative and taking an interest outside the scope of their responsibilities. Those working around him/ her are the most likely to notice something is amiss, so having a communication channel in place for reporting such concerns is very important.
Employees need to understand that the company reserves the right to monitor activity on company-provided equipment and networks. A clear Acceptable Use Policy takes the guesswork out of what is appropriate use of the organisation’s data. Once the policy is in place, employees need to be educated, trained and finally, sign and agree to it. The process: initiation, education, pledge is important in fostering a sense of engagement and accountability with the workforce. The SANS institute offers a sample Acceptable Use Policy that is available without copyright restrictions.
The Acceptable Use Policy needs to be an ethos to live and work by, not an episode of form-filling that gets forgotten about. Providing ongoing training and ensuring top-down buy-in both highlights how seriously the organisation takes data protection and acts as a deterrent.
When an employee leaves the company, this should automatically set off a series of security measures. Disgruntled employees are a key source of security breaches. Even if the parting is amicable – and often it is not – employees leaving the company may be tempted to take information with them to their next employer. When an employee leaves the company, immediately terminate all employee accounts. Remove employees from all access lists, and ensure they return all access tokens and any other means of access to secure accounts.
Similarly, the procedure needs to extend to third parties such as contractors or partner organisations. Finally, remind the departing of their legal responsibilities to keep data confidential and dust off their signed Acceptable Use Policy or other confidentiality agreement.
Ensure the right levels of protection exist for sensitive corporate data and revisit the lists of who has access to what. Passwords, multi-factor authentication and encryption should all be used depending on the sensitivity of the information. These security measures need to be teamed with regular reviews of the access privileges of employees. Access rights should operate on the basis of ‘least privilege.’ That is to say, grant access to systems, applications and data based on the minimum required by their position. Additional access can be granted if necessary. The flip side of this process is also important – terminate accounts that are no longer needed or scale back access once a project is finished.
Guarding against insider attacks is a fine balancing act. You need to maintain a happy, productive workforce but not an “anything goes” attitude. Technology solutions can set the parameters for access privileges but this is only one part of the solution. Employees need to know what constitutes acceptable information sharing and know how to sound the alert if something is amiss.
Behind the Scenes
Established in 1999, Credence Security, previously ARM, the regions speciality distribution company, specializes in IT security, Forensics and Incident Response. Working closely with leading IT security vendors including AccessData, Fidelis CyberSecurity, eSentire and Digital Guardian, Credence Security delivers Cyber and IT Security technologies and solutions that protect organisations against advanced persistent threats, malicious adversaries and internal malpractice.