Insider threats have a special place in the cybersecurity hall of shame. No one likes to think that their colleague is out to get them, but unfortunately, this type of threat to organizational security is all too real.
And even the biggest companies can be affected. In May of this year, Coca-Cola admitted to a breach affecting the personal data of over 8000 employees. A former employee had stolen a hard drive containing the data.
It would be nice to say this was an unusual event, but the statistics disagree. In the 2018 Insider Threat Report from technology vendor CA Technologies, they found that 53% of respondents had suffered an insider breach during 2017. 27% saw an increase in the frequency of these types of incidents.
But just what is an insider threat? And who perpetrates them?
What is an Insider Threat?
Insider threats don’t have to be malicious; accidents happen, people make mistakes. As a general principle, there are two main categories that insider threats fall into:
Malicious Insiders – Those Who Set out to Do Harm
This is the more traditional image of the “insider” and covers areas as diverse as industrial espionage and plain computer damage. I have personally come across a number of people in the latter category. These can be employees with high levels of computing skills, often being programmers or IT administrators, who purposely installed malware onto computers after they left a company.
Malicious insiders cost companies money too. Sage, a software vendor, experienced an insider threat which affected hundreds of their customers and wiped 4% off their share value.
Accidental Insiders – Those Who Do Harm Without Intent
Accidental insiders may not be malicious, but the harm they cause can be as bad. Gemalto has described 2017 as the “The Year of Internal Threats and Accidental Data Breaches.” And accidental data breaches aren’t always about a laptop left on a train: an employee of Accenture inadvertently exposed highly-sensitive data, passwords and encryption keys by not properly securing a folder on an Amazon Web Services storage bucket.
In another similar event, an expose of people’s use of the collaboration tool, Trello, found that users were inadvertently placing passwords on Trello boards in plain text for colleagues to use. A simple Google search for “passwords Trello” found a number of such password exposures.
Being Aware of Insider Threats
So how do we prepare ourselves to stop both types of insider threat? The answer is that there is no single solution to what is a highly complex issue. Certain technologies can be deployed to mitigate the risks of insiders; these include Intrusion Data Loss Prevention (DLP), encryption and SIEM tools. Some of these tools help spot anomalous behavior and alert an organization to an issue before it becomes a problem. But with human-based security issues, such as those posed by insiders, any cybersecurity strategy should always be augmented with a human-centered approach. Cybersecurity awareness is, now, more than ever, a key component of an organization’s security strategy.
There are three aspects to creating insider threat awareness across the organization:
- The Culture. Cybersecurity is now, unfortunately, part of our everyday lives. It is a regular big news item on the mainstream channels, with big names such as Equifax, Uber and Yahoo making us sit up and take notice on data breaches. Now that cybersecurity has crossed over into mainstream cultural awareness, it also has to sit firmly in our corporate culture. Building a culture of security within your organization starts with awareness.
It’s ultimately about being proactive against cyberthreats, taking the problem on by standing together against it. A culture of security pervades every aspect of an organization, from the time of recruitment through to the final goodbyes. This lifecycle approach is particularly important for containing insider threats.
One area of this culture that needs to be tackled is the thorny issue of feeling like a snitch if you inform on suspicious activity of a colleague. The right approach is to make sure everyone feels they are in the same boat, together. Only then will it feel positive, at a group level, to point out possible misdemeanors by colleagues.
- The Policy. The inclusion of insider threats in enterprise security policies goes without saying. Best practices in managing the threat of insiders should be pervasive throughout the policy. A good place to start in working out what these best practices are is CERT’s “Common Sense Guide to Mitigating Insider Threats.” The guide sets out a framework for formalizing a threat-management program and shows how to enforce policies controlling insider threats. It also looks at everything from hiring to firing and everything in between, giving advice and offering measures to manage the various insider issues.
- The Training. Awareness is crucial in recognizing the patterns of insider threat and preventing accidental data breaches and resource exposure/damage. Security awareness training is something that can be applied across the entire organization and out into our vendor ecosystem too.
One of the most important aspects of the training is to establish a culture of security — that is, develop an ethos where security is everyone’s responsibility. Training is not a one-off exercise. Security awareness, like the security threats it represents, is a changing goalpost. Awareness training is therefore ongoing, keeping everyone up to date with new threats and new issues.
One of the biggest issues in dealing with an insider is that the very nature of the threat
means it could well be a colleague that is accidentally, or even maliciously, causing damage.
We need to overcome our concerns and even bias towards this issue; accept it happens, and be aware of the nature of the threat. By incorporating an understanding of the threat deeply into our policies through awareness training, we can help to reduce this increasingly-worrying security gap.
Coca-Cola Suffers Breach at the Hands of Former Employee, Bleeping Computer
Sage leads FTSE 100 fallers after data breach, City A.M.
Accenture left a huge trove of highly sensitive data on exposed servers, ZDNet
Trello Scrambles To Rescue Users Who Foolishly Used Its Service To Store Passwords, Gizmodo
CA Technologies, 2018, Insider Threat report
Gemalto, Breach level Index
The CERT Insider Threat Center, Common Sense Guide to Mitigating Insider Threats