Insider Threat: Not Like the Movies
The hacker is hunched over his machine, the hood of his gray sweatshirt covering his hair and plunging his face in shadows as he types feverishly on a black keyboard. Using his considerable skills, he infiltrates some of the best-guarded corporations, stealing valuable data and millions of dollars. He is halfway across the world in a dark apartment at a remote location, and corporations are powerless to stop him.
Actually, scratch that. While that’s the picture painted in movies and security commercials, that scenario is dead wrong in about 45 percent of cases.
The threat putting you at risk actually looks something like this: Your bioscientist unlocks the front door with her employee badge and logs into the lab computers with her credentials. She’s just been denied a promotion — again — and has accepted an offer from a competitor. She’s downloading some of her research onto a flash drive to take with her once she leaves your employment.
This banal action may not be movie-worthy, but the consequences and scope of the potential losses definitely are. That’s why many organizations are asking security professionals how to protect their data against insider threats.
Here are our recommendations in three steps.
1. Reduce Exposure
First, limit the ways in which a trusted insider or external actor can steal your data by making sure your key information is appropriately protected. Data security and identity and access management (IAM) tools, including access management and governance technologies, work together to do just that. In many organizations, however, these technologies are not well-integrated, and the resulting security gaps can put your data at risk.
To determine whether that’s the case in your organization, identify any data that you deem highly sensitive, such as trade secrets, proprietary data, customer lists, financial or employee information, etc. Then methodically map all its access pathways to figure out where it is located, how it is accessed and by whom. This will give you the insights necessary to determine whether your data security, access policies and user governance are working the way they should. From there, you can prioritize the security actions you need to take to protect your data.
This exercise enables you to answer the following questions:
- Who has access to sensitive data?
- Who should have access?
- Are we restricting the ways in which legitimate users can access data to make it hard for others to steal it?
2. Detect the Insider Threat
Once your systems are in place and working well to minimize the risks to your sensitive data, you should be left with a small pool of legitimate users who require access to do their jobs and create value for your organization. However, these users can still pose a risk if they fall prey to an external actor or become malicious actors themselves.
For that reason, it’s important to monitor the way these users interact with your information to ensure they are using it in legitimate ways. Anticipate the risk of malicious actions before they occur and respond promptly when breached to reduce the damage an insider can inflict.
To cut through the noise and make sense of the millions of transactions you’ll likely observe from your users, analyze more than just their transaction patterns. Identify risk factors from other types of information, such as HR data, to flag users who could pose a greater risk. For example, employees in a division that just underwent a major reorganization or a round of layoffs could be more likely to develop malicious intent. Cross-referencing these risk factors together with the transaction patterns can help narrow down incidents for additional investigation.
It’s also important to note that organizations can observe the behaviors of their users without violating their right to confidentiality, striking a balance between security and privacy. In most cases, you’ll be able to achieve meaningful results without compromising privacy.
This exercise will allow you to answer the following questions:
- What are end users and administrators doing with data?
- What do normal transaction patterns look like between users and your sensitive data?
- How much can you trust each individual user?
- When should a deviation be cause for further investigation?
3. Get Started Today
Don’t wait until the next breach to take action and secure your most sensitive data. You can start small to fight insider threats. Identify five to 10 pieces of data or information that are most important to your organization and go from there. If you don’t have the resources to do this exercise in-house, seek out a third-party vendor for help.
Last week, IBM announced a new insider threat protection offering to help customers address the security gaps insiders might exploit with an approach that provides clear, actionable intelligence. The security specialists involved have the business, data and IAM security experience to help you evaluate intelligence, draw more meaningful conclusions and prepare for next steps.
Attend our Dec. 14 webinar, “Fight Back Against Insider Threats: Three Steps to Stop Harmful Insider Actions,” to learn more about how you can reduce your risk and protect your critical data.