The CISO’s Guide to Managing Insider Threats
Critical digital and physical assets are becoming increasingly vulnerable due to accelerated connectivity, differing global regulatory requirements, joint ventures and business partnerships and security weaknesses within complex multinational supply chains. These factors have led to a rise in insider threats for enterprises across all industries.
An insider threat is an employee or third-party vendor that has access to a company’s network. While some insiders seek to compromise sensitive corporate data for monetary gain or out of spite, others do so accidentally due to negligence or lack of awareness.
According to the “2016 Insider Threat Report” by Crowd Research Partners, 75 percent of survey respondents estimated insider threats cost their companies at least $500,000 in 2016, while 25 percent reported costs could exceed that amount. The study also found that 74 percent of organizations are vulnerable to insider threats. Of that number, 7 percent reported that they were “extremely vulnerable.”
Common Behavioral Indicators
The most common indicator of an insider threat is lack of awareness. For instance, employees with savvy IT skills often create workarounds to technology challenges. When employees use their own personal devices to access work emails, they often create new vulnerabilities within the organization’s physical security processes and IT systems.
The chief information security officer (CISO) must be aware of these patterns to detect suspicious motives, which requires a holistic and layered approach to user behavior analytics (UBA). The following are examples of behavioral indicators:
- Downloading substantial amounts of data to external drives;
- Accessing confidential data that is not relevant to a user’s role;
- Emailing sensitive information to a personal account;
- Attempts to bypass security controls;
- Requests for clearance or higher-level access without need;
- Frequently accessing the workspace outside of normal working hours;
- Irresponsible social media behaviors;
- Maintaining access to sensitive data after termination;
- Using unauthorized external storage devices;
- Visible disgruntlement toward employers or co-workers;
- Chronic violation of organization policies;
- Decline in work performance;
- Use of mobile devices to photograph or otherwise record computer screens, common work areas or data centers;
- Excessive use of printers and scanners;
- Electronic communications containing excessive use of negative language;
- Installing unapproved software;
- Communication with high-risk current or former employees;
- Traveling to countries known for intellectual properly (IP) theft or hosting competitors;
- Violation of corporate policies;
- Network crawling, data hoarding or copying from internal repositories;
- Anomalies in work hours;
- Attempts to access restricted areas;
- Indications of living beyond one’s means;
- Discussions of resigning or new business ventures; and
- Complaints of hostile, abnormal, unethical or illegal behaviors.
Remediation Pain Points
Insider threats are costly to remediate because they are very difficult to detect. A thorough investigation often requires companies to hire forensic specialists to determine the extent of a breach. It is also challenging to distinguish malicious activity from regular day-to-day work. For example, users who have elevated access privileges interact with sensitive data as part of their normal jobs, so it can be virtually impossible to determine whether their actions are malicious or benign.
Users who have elevated access privileges often cover their tracks by deleting or editing logs, impersonating another user or using a system, group or application account. Proving guilt is yet another pain point, since offending users may claim ignorance or human error.
Steps to Combat Insider Threats
Most organizations lack procedures to deal with internal threats. Moreover, security architecture models have no room for insider threats. Security infrastructures primarily prevent outside attackers from gaining entrance to the network undetected, operating under the false assumption that those who are granted internal access in the first place are trustworthy.
To properly account for and remediate insider threats, organizations must establish a comprehensive, risk-based security strategy that includes the following four elements:
1. Information Governance
It is of paramount importance to protect critical data assets from insider threats. Information governance provides business intelligence that drives security policies and controls. This improves risk management and coordination of information management activities. A solid information governance foundation enables organizations to adopt a risk-based approach to protecting their most valuable assets and installing sound data management procedures.
2. Advanced Forensic Data Analytics
User-based analytics are indispensable tools that provide detection and predictive measures to thwart insider threats. These solutions incorporate artificial intelligence and machine learning technologies that objectively analyze insider behaviors and generate risk rankings within the user population.
3. Incident Response and Recovery
External and insider breaches have their own nuances, but the impacts are similar and should leverage the same response program in anticipation of a major breach. Organizations must strive to build as strong an insider threat program as possible. It’s also important to develop an incident response program that considers both internal and external breaches.
4. Legal Considerations
An insider threat program cannot be successful without careful legal and regulatory considerations. For example, privacy laws pertaining to employee monitoring vary across national boundaries. In the U.S., the Electronic Communications Privacy Act (ECPA) allows employers, under certain provisions, to monitor their employees’ emails and other electronic communications. Meanwhile, the member states of the European Union (EU), in compliance with the European Convention on Human Rights, adhere to privacy laws under the Data Protection Directive, which regulates how organizations within the EU process personal information.
A Cross-Organizational Challenge
Combating insider threats is an organizational issue that crosses people, processes and technology and requires a detailed understanding of the organization’s assets and security posture. It also demands a clear separation of duties, continuous monitoring of employee behaviors and a formal insider threat program that includes IT, human resources, legal and all other business groups. With the proper resources in place, a CISO can gather the actionable intelligence needed to thwart internal attacks and gain visibility into the highest-risk users.