Have you ever heard of Edward Snowden? How about the semi-recent Waymo/Levandowski saga? These are both examples of insider attacks. While these are high profile examples, there are also hundreds, thousands, dare I say millions more out there that are not reported on in mainstream media. When talking to a lot of security professionals, a great deal of them will say that insider threats are the biggest security threat facing organizations today.
What is an Insider Threat in Cyber Security?
With all the news about breaches and hacks these days, one may think that external malicious attackers are the number one risk to an organization, but I would like to claim that the number one risk is your employees, and there is data to back this up.
When one thinks of an insider threat, they usually picture an angry ex-employee or a spy out to do harm, but there are multiple different types of insider threats. They can range from the careless employees to that previously mentioned spy. An insider threat is a threat to an organization from employees, former employees, contractors, or business associates. These users have inside information of the organization’s security practices, data, and computer systems. Insiders can be either be malicious or unknowing in their motivations.
- The Unskilled – These are trusted employees that have access to privileged data or systems but do not really have the skills or knowledge to manage it. For example, it may be a system admin that has never worked on web servers before but is asked to implement a new web portal and is not familiar with how to secure the server.
- The Careless – These are trusted employees that are not out to harm the company but are either looking to make their job easier (emailing a DB file to their home computer to work offline or setting up a group account so everyone can access a tool or data) or are just not paying attention (picking up a USB drive on the ground and plugging it in or clicking on a phishing email).
- The Angry – These are trusted employees that are out to intentionally try to harm the organization. They are usually disgruntled and don’t feel the company values them (i.e. low pay, passed up for a promotion, or not recognized).
- The Outgoing – Nope, not outgoing as in fun and exciting, but outgoing as they are trusted employees that are planning to leave the organization and are acting for their own personal gain. This is very common in financial or commercial institutions where an employee takes the client list or grabs intellectual property before taking off.
- The Spy – These are trusted employees that either planted at an organization to steal intellectual property, money, clients, etc. or were decent employees that was recruited or intimidated into providing data they have access to for fortune, fear, and/or glory.
Each one of these types of insiders can pose a serious threat to the organization so understanding their motives, accesses, and mitigating controls all are needed to help reduce the risk of a breach or attack.
Some Scary Insider Threat Statistics
Before I get into how to protect against insider security threats, I wanted to provide some statistics on insider threats and show that they are a major risk to organizations but are also the least monitored and protected against.
- 62% of business users report they have access to company data that they probably shouldn’t see, according to the Ponemon Institute.
- While a little out of date now, An IBM® X-Force® report in 2014 found that insiders were responsible for 60% of attacks. Of those, 23.5% were inadvertent actors.
- Also, in a IBM X-Force Threat Intelligence Index of 2017, IBM identified that 58% of attacks against financial services and 71% of attacks against health care organizations was from malicious insiders or inadvertent actors.
- 34% of respondents indicated that they have still suffered actual insider incidents or attacks and only 9% of surveyed ranked their insider prevention methods as very effective per SANS.
- Forty-five percent of IT executives say attacks from malicious insider threats is one of the email security risks they are most ill-prepared to cope with, according to a study by Mimecast.
Cost of Insider Threats & Attacks
Insider attacks are not cheap – no attacks and breaches are – but they are the cause of some of the biggest security breaches on record. The true cost of a major security incident is not easy to determine, but the most common estimate according the 2018 Insider Threat Report, is a range of $100,000 to $500,000 per successful insider attack (27%). Twenty-four percent expect damages to exceed $500,000. How much would it cost your organization if a disgruntled employee took your client data and gave it to a competitor or if an admin limited on time forgot to check a security control leading to a breach of your client data?
Causes of Insider (User) Threats
There are many causes of insider threats. These can range from an employee who accidently clicked on a phishing email, to a privileged user that subverts security controls because they slow them down, to terminated users who are angry and just want to watch the world burn. The key is that all employees can pose a threat, and the organization must be diligent in order to protect against everything from a mistake to malicious activity.
Insider threats are hard to detect and are also hard to protect against. When employees have access to data or are privileged admins, how do you determine what is an internal attack, external attack, or standard business? Below is a high-level list of possible ways to mitigate the risk of insider threats. If you want to know more about any of these topics, please feel free to leave a comment.
- Enhanced employee screening – Make sure you are doing background checks, calling references, and verifying the person is who they say they are or.
- Limit Access – Don’t give the “keys to the kingdom” or excessive privileges to everyone. Only provide access to locations, applications, and data to the role/persons that require access to that data.
- Security Training and Awareness – Train and test your employees to make sure they understand the security risks.
- HR Complaints and Behavior – Follow up on HR complaints and monitor staff behavior. If you are aware a person is disgruntled, follow up to make sure it is not going to get out of control.
- Risk Assessment/Management Program – Build and define a risk management program.
- Termination Process – When a person is terminated, make sure ALL access is removed right away. Ideally you remove the access while the person is getting the bad news.
- Policies – Define acceptable use and social media policies. While these will not protect you against an attack, they may help if you decide to prosecute. Also, it adds that one extra layer when a person tries to rationalize why they are doing what they are doing. They can longer say that they were never told not to do something.
- Enforce Separation of Duties – If possible,enforce separation of duties for peer reviews and approvals for changes to the system. For example, don’t allow code to be added to production if an approval is not provided.
- Auditing and Monitoring – Enabling auditing of data access, user access, privileged user actions, etc. Also, since you will now be inundated with a lot of logs, implement a log correlation tool that can scrub the logs looking for that needle in the haystack.
- DLP – Implement a Data Loss Prevention (DLP) solution. Also, the key here is to tune it and monitor it. It is not enough just to have one, you must use it.
- Asset and Access Management – Define roles and accesses for those roles. Make sure that each user has the least amount of privilege needed to do their job. Also, review accesses periodically to make sure no one slipped through the cracks or set up a privileged account without approval.
- Backup/Recovery Procedures – Make sure you have good backups and can recover the data in case an employee deletes it all on their way out or changes settings without approval.
- Vulnerability Assessments – Perform vulnerability assessments both internally and externally. This can help identify if a configuration was not set correctly or if there are vulnerabilities in the system.
- Configuration and Secure Coding – Like vulnerability testing but for configurations and code. Not all configuration settings are scanned by vulnerability tools so performing configuration testing is key, ideally monitoring for changes to the configuration. And with secure coding, using a tool or peer review of code before adding to production can help identify any backdoors or security concerns.
While there is no magic tool that will guarantee full protection, properly implementing controls across people, processes, and technology, your organization can significantly reduce the risk of falling victim to an insider attack as well as the scope of damage. Just remember, keep an eye on Bob from accounting (for all Bobs in accounting, I’m sorry).
For more information regarding how Linford & Company may assist your organization with its compliance needs or provide you with advisory services, check our related organizational auditing services:
Linford & Co., LLP, founded in 2008, is comprised of professional and certified auditors with specialized expertise in SOC 1, SOC 2, HIPAA, HITRUST, FedRAMP and royalty/licensing audits. Our auditors hold CPA, CISA, CISSP, GSEC licenses and certifications. Learn more about our company and our leadership team.