Tackling The Insider Threat: … Where To Start?

Many organisations still believe the definition of an insider threat is limited to a rogue employee purposefully leaking embarrassing information, or nuking a couple of systems when he or she quits and walks out the door with internal or customer data to take to a new job. 

But not all insider threats have to be malicious to cause an incident

Perhaps someone on your marketing team wasn’t aware of their regulatory obligations in handling customer information and handed over a large dataset to a third party processor. In some regions, if the company didn’t get an explicit opt-in from the customer to allow that third party to handle the data, it could be considered a security incident. Or what if someone on the HR team left a flash drive in the lunch room containing personal health information, and that info gets disclosed to other employees? Sure, it may not have been intentional, but it was still an incident caused by an insider.

Taking the threat seriously
Insiders have been behind several significant data breaches, yet many CISOs are still solely focused on keeping the bad guys out, instead of looking within their own company. Richard Henderson, global security strategist at Absolute, a security company offering endpoint visibility and control, believes that this disconnect is due to human nature and behavior.

“No one wants to presume that the people they work with on a daily basis can intentionally or unintentionally cause significant harm to their company,” he says.
“And while building a fortified, walled perimeter and patrolling for signs of attack is an easy decision, it’s not so easy to pivot to newer ways of thinking, like the zero-trust model, or continuous monitoring tools like user/entity behavior analytics. 
“It’s not uncommon to assume that something bad is likely going to happen, but it’s rare to assume it’s because of something someone on your side did.”

Neutralising the Threat
As storage and processing costs continue to plummet on a per-unit basis, it has become more attractive for both malicious and non-malicious insiders to use these technologies to their benefit, Henderson notes. 
“With Internet/Intranet ‘pipes’ larger than they’ve ever been, it can be simple for a malicious insider to hide their goals inside the torrent of traffic that companies have to monitor. 

“At the same time, those very same technologies make it very tempting for employees without nefarious intentions to send data to the cloud, send jobs outside the company for processing, or to merely store confidential information in personal cloud storage so they can easily work from home.”

Neutralising or minimising the insider threat requires a robust and evolved security strategy, he says, but even before that, companies need to gain visibility into all endpoint devices.

If you can’t randomly pick an endpoint device and query it to determine what its current patch status is, what sensitive data resides on it, what software is installed, and where it is physically located, how can you move on to more advanced things like building out a mature insider threat strategy? 

The answer is: you can’t. 
“Everything starts with visibility,” Henderson says. “Visibility into how employees use corporate resources and into how and where data is stored. 

“Visibility into how employees connect to your infrastructure and into the current risk profile of their endpoints. Are they current on patching? How long has a device been outside of the network? Do you have actual visibility of where all your data in your organisation has moved to? Has some of it migrated to the cloud? All of these questions can be addressed with comprehensive asset management and data discovery toolkit.”

Henderson also notes that attempting to spot future malicious insiders during the hiring process is mostly a waste of time.

“We only need to look at the case studies of double-agents or turncoats in the history of intelligence agencies to see that even with the most in-depth, comprehensive, and probing background investigations, there are always going to be insiders that will decide to do something bad,” he notes.
“Circumstances and motivations change for people all the time. We may be able to potentially screen out riskier candidates with larger and more involved background checks, but it will never be able to give a definitive yes or no on someone causing an incident. 
“Those resources would be much better used as investment in other tools that can monitor how employees handle and consume sensitive information.”

Preparing for the Future
It’s difficult to predict the situation we’ll face five years from now. “We could see some organisations make a complete and total move to both virtualised and cloud infrastructures, and we could see others retreat entirely from the cloud,” Henderson points out. But enterprises thinking about security that far ahead should have a plan in place now to actively monitor every single endpoint device in their organization, and that includes contractors they allow to access their internal resources. 

“That monitoring technology needs to look for potential compliance and regulatory violations as well as the movement and storage of important data, whether it be customer or internal data. Knowing what important info exists on your computers allows you to quantify the risks inside your organisation better,” he believes.

Help Net Security

You Might Also Read:

Employees Are Still The Cause Of Most Cyber Breaches:

Businesses Get Better At Detecting Insider Threats:

 

« AI In Conflict: Cyberwar & Robot Soldiers
AI Will Underpin Cybersecurity »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Thales

Thales

Thales provides solutions, services and products that help its customers in the defence, aeronautics, space, transportation and digital identity and security markets to fulfil their critical missions.

Government Communications Headquarters (GCHQ)

Government Communications Headquarters (GCHQ)

GCHQ defends Government systems from cyber threat, provide support to the Armed Forces and strive to keep the public safe, in real life and online.

Cybersecurity Philippines CERT (CSP-CERT)

Cybersecurity Philippines CERT (CSP-CERT)

Cybersecurity Philippines CERT is the national Computer Emergency Response Team for the Philippines.

Data Security Council of India (DSCI)

Data Security Council of India (DSCI)

DSCI is a premier industry body on cyber security and data protection in India, committed to making the cyberspace safe, secure and trusted.

Cyber Future Foundation (CFF)

Cyber Future Foundation (CFF)

CFF was established to create a cyberspace where digital commerce and innovation can thrive based on trust and respect to individual privacy.

cPacket Networks

cPacket Networks

cPacket’s distributed intelligence enables network operators to proactively identify imminent issues before they negatively impact end-users.

Cybint Solutions

Cybint Solutions

Cybint provides customized cyber education and training solutions for Higher Education, Companies and Government.

Cansure

Cansure

Cansure is a leading insurance provider in Canada offering a broad range of property & casualty insurance solutions including Cyber & Data Breach insurance.

RATEL (SRB-CERT)

RATEL (SRB-CERT)

RATEL has been appointed as the National Center for the Prevention of Security Risks in ICT systems of the Republic of Serbia (SRB-CERT).

Asset Guardian Solutions (AGSL)

Asset Guardian Solutions (AGSL)

Asset Guardian are dedicated to protecting the integrity of process control systems software that is used to control operations and production processes.

Accelerator Frankfurt

Accelerator Frankfurt

Accelerator Frankfurt is an independent go-to-market program focused on Fintech, Cybersecurity and Digital B2B startups.

DDOS-Guard

DDOS-Guard

DDoS-GUARD is one of the leading service providers on the global DDoS protection and content delivery markets.

Cybots Pte Ltd

Cybots Pte Ltd

Cybots is a multinational cyber defence brand founded in Singapore in 2018 to help organizations stay ahead of increasingly sophisticated threats from cyber criminals.

Oregon Systems

Oregon Systems

Oregon Systems is a Regional Leader & Distributor with value added services for OT, IoT, IIoT & IT Cybersecurity products, Solutions & professional services throughout the middle-east region.

Patriot Consulting Technology Group

Patriot Consulting Technology Group

Patriot Consulting's mission is to help our clients manage cybersecurity risk through secure deployments of Microsoft 365.

FTI Consulting

FTI Consulting

FTI Consulting is a global business advisory firm dedicated to helping organizations manage change, mitigate risk and resolve disputes.