Beware the threat from within: How to deal with insider threats

IT security professionals and C-suiters are well aware of the threat from hackers. Cyberattacks have been all over the news recently. Major security breaches have resulted in millions of files being stolen. Patient health records have been targeted with the cyberattack on Anthem Inc., the largest ever healthcare data breach ever recorded. That cyberattack, discovered in February this year, involved the theft of 78.8 million health insurance subscriber records.

Target was attacked last year and hackers managed to obtain the credit card details of an estimated 110 million customers. The finance industry was also hit hard in 2014, with 83 million J.P. Morgan Chase accounts compromised by hackers.

Cybersecurity defenses naturally need to be put in place, monitored, and bolstered to deal with the ever changing threat landscape. However, it is important not to forget the threat from within. Malicious insiders can be just as dangerous, and often more so than hackers. Just ask the NSA. They know all too well how dangerous insiders can be. Edward Snowden managed to steal and release data that has caused considerable embarrassment. In his case, he wanted the world to know what the NSA was up to. The NSA had gone to great lengths to make sure that what occurred behind its walls stayed secret.

Malicious insiders are often individuals who have been given access to patient and customer records, as well as the intellectual property of corporations, company secrets, product development information and employee databases. They are therefore potentially able to steal everything. The harm that can be caused by malicious insiders is therefore considerable.

It is not just theft of data that is a problem. Insiders may use their access to computer systems to defraud their employers, destroy data, or install malware and ransomware. Unfortunately, tackling the threat from within is a much more difficult task than preventing external attacks.

Bear in mind that insiders are not necessarily employees. They can include business partners and associates, contractors and past employees.

Which insiders pose the biggest threat

Unfortunately, any employee can steal corporate secrets and data; but the potential for damage increases as privilege levels increase. In a hospital, a physician may only have access to his or her caseload of patients. It may be possible for that physician to access the records of other patients of the facility, but not without triggering alarms. Those alarms may not be klaxons, but a flag would be raised that would alert anyone checking access logs that there may be some inappropriate activity.

A member of the IT department may have the highest level of privileges, and could potentially access huge quantities of data. One member of the IT department may not have access to everything, but in theory – and sometimes in practice – they could elevate their privileges for long enough to gain access to the data they require.

Recent research conducted by the United States Computer Emergency Readiness Team (CERT) shows that half of insider security breaches are conducted by individuals who have access to data. These individuals already have the authority to access systems containing valuable data. If you do not deal with insider threats, it is only a matter of time before a security breach is suffered.

It can be difficult to identify insider threats. Some say “it’s always the quiet ones,” but in reality, there is no way of being 100% certain which employees will steal data or sabotage systems. There are many potential reasons why an individual may decide to steal or delete data. Employers must therefore be aware of the risk and take action to mitigate that risk as far as is possible.

CERT research is useful in this regard. Studies have shown that that security breaches and data theft are most likely to occur in the time leading up to an employee leaving employment, and shortly after that employee has left – typically, a month either side of leaving a company.

As soon as an employee hands in his or her notice, place alerts on their accounts and conduct audits. If a worker is disgruntled or is unhappy at work, this could be a sign that they are looking for employment elsewhere and it would be wise to keep a close check on data access. It is a wise precaution to lower account privileges shortly before an employee leaves and to ensure that access is blocked as soon as they do. Many companies are a little lax when it comes to closing accounts and may not block access immediately.

Fortunately, risk can be managed. Adopt the following best practices to help you deal with insider threats and you will limit the opportunity for an insider to steal or delete data. You will also limit the damage that can be caused.

Best practices to deal with insider threats

  • Minimum necessary information – Only give access to data critical for an individual to perform regular work duties
  • Provide temporary access as appropriate – If tasks need to be conducted to perform atypical duties, temporarily escalate privileges to allow the task to be conducted and then lower those privileges when the task has been completed
  • Monitor access to resources – Implement a system that monitors and logs access to data and regularly audit access logs to check for inappropriate activity
  • Control access to physical resources – Restrict access to confidential files, stored backups, old computer equipment, and servers. Keep them under lock and key.
  • Separation of duties – Restrict access as far as is possible: Do not assign full access to one individual, only allow part of a system to be accessed by a single employee. Use Privileged Access Management (PAM). This will limit the damage that can be caused.
  • Implement policies and controls – Make sure these are communicated to all staff members.
  • Restrict file transfers – As far as is possible, put controls in place to prevent data from being copied or exfiltrated. Prevent certain file types from being emailed outside the company and block peer-to-peer file sharing websites
  • Encryption – Employ encryption for all stored data and control who is able to unencrypt files. Always protect data at its source.