Top 5 Ways to Identify and Address Insider Threats
A recent report commissioned by CA Technologies threw up some very interesting and alarming data about the threats that an insider can pose to an organization. The report found that:
- 90% of organizations felt that insiders were a serious threat
- 53% had experienced an insider attack in the last 12 months
- 55% of the threat came from privileged or IT users
- 57% identified business confidential data as being the target of an insider threat
One of the biggest problems with an insider threat is that it is just that — an insider. An insider can be a work colleague, a freelancer, someone from head office or a worker from a partner company. An insider, is, by definition, anyone who has an intrinsic or close connection to an organization.
Insiders can be of both accidental and malicious types. And, not all malicious insiders know they have become an insider threat — they are, instead, “proxy insider threats,” being used by malicious outsiders to get inside the business.
It is a complicated business to spot an insider and to then deal with them. This article will look at some ways to check if Jan from Accounts is after your data.
5 Ways That Insiders Become Threats and How to Deal With Them
The best way to know if an insider will become a threat is to know where the threats lie. Understanding the drivers behind a data breach or IT sabotage offers you an insight into the types of indicators and behavior that foretells trouble ahead.
1. The Leaver
The Problem: McAfee report that 43% of data breaches start with an insider. Sometimes the issue begins just as the insider leaves. The case of Jason Needham demonstrates this well.
Mr. Needham worked for the Allen and Hoshall engineering firm but left in 2013 to start up his own company. It was later found that Needham continued to access email accounts and file servers for two years after he left the firm. He stole engineering schematics and highly sensitive company data. During the trial, he reportedly said he stole the information to gain a “competitive edge” in his new endeavor.
The Signs: A good practice to use is to understand where an employee is going to when they leave your organization. Most people are trustworthy. However, it only takes one person to steal your client database and use it competitively to cause a major issue.
Dealing With It: Make sure that access to IT resources are removed for all persons leaving an organization. This includes employees of business partners who may have been given privileged access.
2. Bad Behavior
The Problem: Good people can become insiders because of a single event or a series of events that make them disgruntled in their work. In the earlier mentioned McAfee report, disgruntled employees were seen as the second-biggest threat to data loss in an organization. The reasons for being unhappy enough to become a threat to your workplace include salary niggles, poor management and being overlooked for promotion. In cases where employees have developed a grudge against a company, often the first sign there is an issue is in behavioral changes.
The Signs: Disgruntled behavior can be expressed in many ways. Signs include productivity issues such as doing the bare minimum, withdrawal from other workers and managers, and expressions of anger. Disgruntled employees may not always be malicious, but an unhappy employee can also be a sloppy employee — thus leading to accidental insider threats.
Dealing With It: Building a team is a skill and maintaining a happy and cohesive team is an ongoing exercise. In terms of cybersecurity and insider threats, engaging your team in security awareness training can help to prevent accidental cyber-incidents — it can also give non-disgruntled employees the tools to recognize unusual and potentially damaging behavior.
To protect your organization against a malicious disgruntled insider, you can augment training using technological measures. This can include ensuring that privileged access is on a need-to-know basis. You can also use Data Loss Prevention (DLP) technologies to prevent data loss through errant emails and upload of documents to cloud applications.
3. The Poacher
The Problem: Loss of intellectual property (IP) is a major issue. In the U.S., the total losses have been estimated by McAfee to be up to $12 billion, per year. Employees of firms where IP is valuable are at risk of being poached for their information.
This was the case of Dejan Karabasevic. Dejan was recruited by a competitor to the engineering firm he worked for. In doing so, he handed over source code for a proprietary technology the firm had been working on. It caused $800 million in losses for the firm.
In a survey by Computer Emergency Response Team (CERT) they found that 48% of insider threats were due to insider collusion, i.e., cases where an employee is poached.
The Signs: This can be a very difficult insider threat to spot because the individual perpetrating the crime will usually be backed by a competitor. They will take great care not to cause suspicion.
Dealing With It: As with The Leaver, you must remove any privileged access once an individual leaves your organization. Importantly, this type of insider threat can be mitigated against by using technology that spots errant and unusual behavior. Logging and Security Information and Event Management (SIEM) platforms can be configured to alert administrators when unusual behavior is spotted. These systems can identify actions such as privileged account misuse and exfiltration of data.
4. The Accident
The Problem: Accidents happen, with reports indicating that accidental or negligent behavior is behind 75% of insider threats. These types of insiders may be accidental, but they can still cause a major cybersecurity incident. User negligence includes not being prepared to spot and deal with a phishing attempt. This was the case when RSA was a target for a phishing campaign. Employees clicked on a malicious link in the phishing email, resulting in the loss of 40 million employee records.
The Signs: Often you won’t notice this insider threat until it becomes an incident.
Dealing With It: Employees need to have an ongoing program of cybersecurity awareness training. This should include phishing simulations to teach staff how to spot the signs of a phishing email. This type of training changes behavior. It helps to create a culture of security where everyone is aware of the role they play as individuals in maintaining a cyber-safe workplace.
5. Second Helpings
The Problem: There is a subsection of insiders related to “Bad Behavior” who carry out fraud to supplement their income. A Gartner report found that 62% of insider threats were due to what they termed “Second Streamers.”
The Signs: This is another insider that is hard to spot because they often work using stealth. This person is supplementing income, so they want the fraud to continue for the long term and to make sure they don’t lose their day job.
Dealing With It: The actions of this insider are hard to spot and may well go under the radar of managers and other team leaders. Using technologies such as SIEM and Data Loss Prevention Measures can help to mitigate the impact of those looking for second helpings.
Want to read more? Check out some of our other articles, such as:
- Insider Threats: Friend or Foe?, CA Technologies
- Grand Theft Data, McAfee
- Tennessee Man Pleads Guilty to Unauthorized Access of Former Employer’s Networks, Department of Justice
- The Many Forms of IP Theft Add Up to Big Losses, McAfee
- China’s Sinovel convicted in U.S. of trade-secret theft, Reuters
- The Frequency and Impact of Insider Collusion, Insider Threat Blog (CMU)
- GTIC 2017 Q3 Threat Intelligence Report, NTT Security
- The RSA Hack: How They Did It, The New York Times
- Our “Understanding Insider Threats” Paper Publishes, Gartner Blog Network