Insider Threat Awareness Month – one click is all it takes….
This September marks the fourth annual National Insider Threat Awareness month, which highlights the importance of defending against, detecting and mitigating damages from insider threats which roughly account for 22% of security incidents.
Neil Jones, Director of Cybersecurity Evangelism at Egnyte, explained: “While not always malicious, insider threats can be even more devastating than external attacks because authenticated insiders are able to gain access to a much wider playing field than the average cyber-attacker.”
Surya Varanasi, CTO of Storcentric, elaborates that the expense is not only “measured in ransomware payments” but also in the “incalculable costs of operations downtime, lost revenue, legal fees regulations compliance penalties, a rise in insurance premiums, and a loss of customer trust”.
Brian Dunagan, Vice President of Engineering at Retrospect agrees, adding: “Given today’s economic and geopolitical climate it is a given that at some point virtually all organisations will suffer a successful cyber-attack be it from internal or external forces. Given this inevitability, it makes sense that organisations are putting an increasing focus on their ability to detect and recover as quickly, cost-effectively and painlessly as possible.”
The 3 deadly sins: malicious, compromised and negligent
There are several different types of insider threats which can be distinguished into three distinct categories: malicious, compromised, and negligent.
Malicious
Matt Rider, VP of Security Engineering EMEA at Exabeam, explains: “The ‘malicious insider’ is an employee who intentionally steals data, either for personal gain or to negatively impact the organisation involved.”
Andy Swift, Technical Director for Offensive Security at Six Degrees adds: “Data loss is one of the key insider threats faced by organisations today. When employees leave organisations, the most common forms of data loss are typically IP and client data.”
When employees move on to another job, sometimes they will want to take some data with them like licences on software and client data.
“People often see their work as very personal, rather than necessarily belonging to their employer, and that makes controlling and monitoring access to data very important. However, that is very easy to say but very hard to actually implement properly”, summarises Andy Swift.
Compromised
Rider elucidates that a compromised insider “general acts without malice and usually has no idea they’ve been compromised. All it takes is clicking on a link in a phishing email or opening an infected file and their credentials can become compromised.”
The rise in remote working has presented its own challenges; employees working outside of the traditional work environment has meant there has been an increase in the number of endpoints, resulting in a ‘security headache’ for IT teams.
Scott Boyle, Head of Information Security at Totalmobile, adds: “All of these mobile workers need to be able to access secure files and documents even when out on the road, possibly relying on a variety of unknown WiFi networks as well. Because of these working patterns, mobile workers can become insider threats, even completely inadvertently.”
Negligence
A negligent employee is someone who accidentally leaves their laptop on the train, walks away from an unlocked workstation or simply fails to follow cybersecurity best practices.
Liad Bokovsky, VP of Solution Consulting at Axway, stated: “Insider-led threat incidents alone have increased by 44% this year, most of which were caused by careless employees (63%).”
Apratim Purakayastha, CTO at Skillsoft, advises that innocent acts such as “an accidental click on a phishing link or sending an email to the wrong person can have devastating consequences”.
Rider argues that “these individuals can be particularly challenging because their actions are very hard to predict and defend against.”
The 6 key components of defeating businesses insider threats:
- Visibility and Preparedness
Organisations need to have a comprehensive security program in place that focuses on both preparedness and visibility.
Raffael Marty, EVP and GM Cybersecurity at ConnectWise, explained that preparedness “should cover the playbooks for how to react in case of relevant organisation events and security-relevant incidents.”
“Visibility, on the other hand, means being able to identify and effectively react to potential adverse actions. Monitoring devices can help organisations achieve greater visibility, but that’s only the first step. Visibility also expands into understanding what employees are doing and how they are interacting with an organisation’s sensitive data,” stated Marty.
Such security programmes must include measures designed to target insider threats – whether malicious or unintentional, adds Yakir Kadkoda, Lead Security Researcher, Team Nautilus at Aqua Security. “Insider threats make up a shocking 65% of UK cyber incidents – so it’s crucial that organisations implement cybersecurity strategies that prioritise preventing attacks from those with close access to its digital assets. While many organisations have already implemented cybersecurity training, and encourage good cyber hygiene, it’s also important to ensure the development process is also secured from insider threats.”
- Back-up data with unbreakable solutions
As ransomware and other malware attacks continue to increase in severity and sophistication, there is an increased need to protect backed-up data.
Varanasi explained: “What is required is an Unbreakable Backup solution that is able to create an immutable, object-locked format, and then takes it a step further by storing the admin keys in another location entirely for added protection. Additionally, it should include policy-driven data integrity checks that can scrub the data for faults, and auto-heals without any user intervention.”
Dunagan adds: “A backup solution that includes anomaly detection is a must. Certainly, the next step after detecting the anomaly is providing the ability to recover in the event of a successful ransomware attack.”
- Preventing data breaches
Swift explains that when it comes to protecting businesses, keeping a log of who has access to what, and therefore what access needs removing when they leave, is essential.
Swift added: “Preventing data leakage while the employee is in situ is complex – you can use various endpoint protections to monitor for mass file transfer externally, but these are often trivial to bypass. Endpoint monitoring, content filtering, data loss prevention tooling and so on can all then be a much welcomed additional layer to the onion. Security in layers is everything!”
On the development side, Aqua’s Kadkoda argues that: “It’s vital to have secure development processes in place, with SAST and DAST scans as well as secret scans. For best practice, developer teams should treat all of their code as if it were open source. Teams working on open source projects are used to assuming their code is visible to everyone, and work to ensure that it has as few vulnerabilities as possible. The aim should be to create code that will cause minimal damage if it’s exposed.
- Internal Training: employees transformation from potential risk to first line of defence
Whilst improving general awareness can help address some of the core risks, organisations need to be investing more in relevant cybersecurity training for all employees.
Purakayastha implied: “Awareness is the first step in addressing this risk – staff must understand they have an essential part to play.
“Organisations should ensure that cybersecurity training is provided for all employees, along with frequent refreshers — this should not be done at onboarding and forgotten about later. Bite-sized learning that can be embedded throughout the workday can be used to teach employees how to spot a phishing email, know when and why they shouldn’t open a link, and ensure they generally have a good grasp of cyber hygiene.
“Gaining practice in real-life scenarios will enable learners to evaluate their skills and be confident to tackle any threats they may face. If properly trained, employees can turn from a potential risk to the first line of defence in the fight against cyber threats.”
- Zero Trust Model
Richard Barretto, Chief Information Security Officer at Progress, explains that adopting a Zero Trust Model is a must; He explains “granting least-privileged access, implementing sign-on verification measures where possible and practising good cyber hygiene—should be considered a top priority for every organisation in 2022. It’s also important for organisations to have an early warning system for WFH employees and the ability to remotely manage their employee devices in the case there has been a compromise and a device needs to be quickly wiped.”
One look, one check, and one improvement could be all it takes to ensure your business is protected from insider threats.
Jones summarises: “This Insider Threat Awareness Month, and always, organisations should take a proactive approach that detects misuse before it’s too late.”
Considering the 47% rise of inside threats between 2018 and 2020, businesses need to ensure they are doing more to protect against this growing hostile threat.
John Grancarich, EVP Strategy at HelpSystems, concluded: “One click – that’s all it takes for an unsuspecting user to be lured down the path of credential theft. And once the first set of credentials has been compromised, the front door of your organisation is wide open and it won’t stop there. So take the time to invest in awareness and in training. It turns out that our parents’ advice to us as we were growing up is relevant to security as well: an ounce of prevention is worth a pound of cure.”
Responses