CTO insights: Defending your organization from insider attacks
If you’ve read enough crime novels or seen enough action movies, the plot is all too familiar to you: an insider – acting to correct some slight or insult he or she received years ago – turns against an organization and inflicts significant damage. Sometimes the insider is on the side of the good guys, sometimes on the bad guys.
This makes perfect sense. An insider knows exactly how an organization does things, what they consider valuable, and how they will respond to an attack. Who else would be better to carry out an attack than an insider?
However, that assumes that an “insider threat” is by design. Fortunately, most people are not out to destroy the organization they belong to. Most people want the group that they are part of to succeed and do well. Unless you’re in an organization that deals with national security, this is probably something you don’t have to worry about.
The problem is that not all “insider threats” are deliberate. “Insiders” could end up leaking information to attackers inadvertently. Social media has provided users with many new and interesting ways to communicate, and unfortunately sometimes this includes confidential information that shouldn’t be communicated.
If people are already leaking information online, what more if you have a social engineer trying to squeeze information from others? Social engineering can be defined as the art of getting others to do what you want. It’s an art that’s been practiced in one way or another for thousands of years, so it shouldn’t be a surprise that threat actors have become very good at it.
Almost all targeted attacks begin with some form of social engineering. While it is not a simple task, you can – and should – attempt to defend against these types of attacks.
There are two ways that an organization can defend against these attacks, but these ways are not mutually exclusive. First, there are technical means of defense. For example, email blocking can help prevent attacks that are designed to impersonate other parties (such as banks or other trusted organizations.) Heuristic- and email reputation-based solutions are useful in this regard.
The second way is to harden your users. Teach them to be more careful, vigilant, and aware of the threats going on today. Make sure that instead of just ignoring these attacks, they report them to your own security team so that the entire organization can stay aware of what’s going on.
Even more important than how to protect data is deciding what data to protect. It is difficult, if not impossible, to protect everything. What you need to decide is: what matters most to your organization and needs to be protected? I would recommend using three categories:
1. Data which is not sensitive
2. Data which has a negative impact on your organization if leaked
3. Data which destroy your business if leaked.
This organization sounds simple, but a lively debate is likely to ensue when classifying which data goes in what category. However, this is necessary: you need to figure out what is really important and what is core to your organization. Protect that first before anything else.