Data security in the age of insider threats: A primer
Of course, your employees are diligent, security conscious and loyal. But the real world tells a different story. A grand total of 94% of organizations had an insider data breach in the past year, with 84% of the data breaches resulting from human error. And while 66% of data breaches resulted from a malicious leak, the same study mentions that only 28% of IT leaders list “intentionally malicious behavior” as the type of insider breach that most concerns them. Perhaps most hair-raising of all, 23% of respondents to an employee poll believe they are entitled to take data with them to a new company.
On the last point, one high-profile case illustrated the potential consequences of this behavior: two General Electric employees started a competing company based on trade secrets that they downloaded at work. These two former GE employees ended up with a prison sentence and a $1.4 million fine – a searing reminder that employees do not have the right to take company data to another company.
While most insider data breaches aren’t quite as malicious or blatant, it’s important to prepare for the worst-case scenario.
What drives insider threat?
An insider threat typically refers to potential attacks from users with internal or remote access inside the system’s firewall or other network perimeter defenses. These “threat actors” can include employees, contractors, third-party vendors and even business partners. In other words, anyone with network access. Potential results include fraud, theft of intellectual property (IP), sabotage of security measures or misconfigurations to allow data leaks.
Of course, not all insider threats come from actual insiders. It’s not hard to imagine instances where, for example, an external party gains access to the physical premises and connects to the network directly, deploying a router in a discreet location for future remote access. This example raises the importance of on-premises security and early detection whenever unapproved devices are added to the network.
A few common examples, like memory sticks or Bluetooth transmitters, can also often pass under the radar. Does your system detect these on insertion? Probably not. This is important because it emphasizes a few key points:
- There is no single security solution to cover every possible threat
- Insider threats are difficult to pin down without knowing the motivations or patterns of potential attackers.
What motivates an insider threat?
How do we pin down and anticipate the possible motivations of potential insider threats? For the most part, the type of insider threat actor that applies to your company will depend on your industry, company size, and the scope of your IT infrastructure. Let’s look at a few of the most common drivers:
1. Human error: Most companies deal with human error, where the actor has no malicious intent. They may not be aware that their actions compromise security (especially if their role doesn’t involve technical know-how), or they may just be careless.
2. Lack of clarity about responsibility for securing data: As many IT pros can attest, some users need more help than others to take security seriously. Senior executives are infamously cavalier in their attitude to security, believing IT procedures don’t apply to them. They’re “focused on the Big Picture.” (Insert audible sigh.) Suffice to say, it’s critical for all employees to take responsibility and ownership of security. Execs especially must lead by example when it comes to security awareness.
3. Malicious intent: Malicious insiders, however, are another story. Their goals are often very simple: to sell the data they acquire or profit (in conjunction with an external party) from reconfiguring security assets for remote access. Disgruntled employees, like those who failed to get that pay raise, promotion, or due recognition (ever had a manager claim credit for your work?) are all potential threats. Human nature being what it is, an employee could also simply harbor a grudge for who knows what reason and deliberately disrupt operations to get back at the company or the individual responsible for IT security.
Organizations in sensitive sectors such as intelligence, defense, and critical infrastructure face additional insider threats. Employees may, in fact, be spies for a rival organization or perhaps existing employees are blackmailed into acting in the interests of a rival. Edward Snowden, despite being a whistleblower guided by his conscience, did harvest data as an insider, changing cybersecurity objectives worldwide as a direct result. Can your company protect itself against a similar threat?
Risk factors of insider threats
Let’s consider a few other risk factors that can make organizations vulnerable to insider threats:
1. Level of access: Your IT administrators have the highest-level network credentials, allowing them full control. Let’s assume one of them is feeling undervalued and is planning to leave the company. Rather than just leave, the administrator installs several copies of Microsoft Office, knowing that they will be unlicensed. A mysterious whistleblower then informs an organization such as BSA | The Software Alliance and receives a percentage of the hefty penalty awarded for licensing infringement. For smaller companies, this insider threat could well lead to bankruptcy.
2. CCTV: If you’re a healthcare provider and install CCTV cameras facing computer screens where patient’s medical records are displayed, you are violating HIPAA (in the U.S.) and other data privacy laws for healthcare records in other countries. It’s a possible insider threat and carries the usual high penalties that compensate a government department (and not, unfortunately, the victims).
3. Social engineering: Members of your team are regulars at a few local coffee shops, restaurants, or bars. One day, as part of a promotion, memory sticks are given to all customers at a place your staff is known to frequent. Congratulations, all who accept the promo are now proud owners of a malware variant that allows the hacker remote access to the system when inserted into the USB port. The memory sticks were donated by a friendly neighborhood hacker as part of a fake company promotion, with the plan of targeting your company, a large local employer. How many of your employees will use these memory sticks at work?
4. Remote work: As remote work becomes more and more prevalent, there’s a rising spat of insider threats originating outside the network infrastructure. First, because being outside the network infrastructure makes it easier for hackers to gain access unless the same security tools are installed on all devices used for work on- and off-premises. The trend of bring your own device (BYOD) only complicates the task for IT pros, especially if these devices are lost or stolen. Is a remote wipe possible on all devices? Also, how can you ensure that anyone who has access to a remote machine doesn’t manually copy or take pictures of sensitive information? All photos of text documents are fair game to hackers and just as valuable as the files themselves.
The need for a solution that balances security and employee productivity
Yes, identifying insider threat personas is a difficult task. But the consequences of failing to do so are great. Data loss or security breaches cost money. Any service outages cost money as well. Then you have reputational damage to consider. Finally, legislative penalties are often substantial under a variety of industry standards and data privacy laws. So, whether it’s a sales executive accidentally emailing wholesale pricing to a retail client or a malicious insider selling trade secrets on the dark web, the company pays a price.
In cases where insiders work with external actors, is the on-premises security posture robust enough to prevent stranger access or dumpster diving where the insider has placed IP documentation for later collection? Finally, in a business environment where insider threats are obviously on the rise, what security measures can prevent attacks without negatively affecting employee productivity and morale? Now that is the real conundrum.