Defense Strategies Against Inner Threats
Inner threats are, without any doubt, among the most dangerous cyberthreats you can find but organizations of all sizes seem to be either reluctant or negligent when it comes to fighting them.
Over 50% of companies don’t have an Insider Risk Response Plan and 40% don’t assess how effectively their technologies mitigate these threats. Even though 59% of IT security leaders expect insider risks to increase in the next two years, very little is being done to prevent them from causing serious security incidents.
Another factor to consider is that the average time to identify and contain a data breach is 280 days. This should give you an idea of the possible damage a single data breach could cause to your business.
This brief article will attempt to throw some light on the types of cyberthreats you must detect and mitigate, the damage they could cause, the user attributes that increase these risks, and the security controls you should implement to prevent and reduce these threats.
The good news is that something effective can be done about it.
Understanding Internal Threats
Simply put, an employee or contractor who wittingly or unwittingly uses his/her authorized access to cause harm to your business is considered an insider threat. The Ponemon Institute’s Global Cost of Insider Threats Report 2020 lists three types of internal cyberthreats:
- A careless or negligent employee or contractor who unwittingly lets a hacker access your business’ network. Over 60% of incidents in 2020 were related to negligence.
- A criminal or malicious insider who abuses his or her privileged access to your business’ network to either steal or exfiltrate sensitive data for financial gain or plain old revenge. Criminal insiders were involved in 23% of breaches in 2020.
- A credential thief (hacker) who poses as an employee or a contractor to gain access to sensitive data and then compromise the data for financial gain. Credential theft led to 14% of breaches in 2020.
The Damage Internal Threats Can Cause
Even a single security breach caused by an insider threat can result in serious damage to your business in the following ways:
- Theft and/or exposure of sensitive data: valuable data such as customer information or trade secrets could be exposed following a breach — an ordeal Marriott International survived an early 2020. Hackers abused a third-party application used by Marriott to gain access to 5.2 million guests’ records. Recommended article: Supply Chain Management Obligations.
- Downtime: the downtime following a breach impacts your business in more ways than one. As mentioned earlier, it can take a long time for you to ascertain the details of a breach and then control the damage. This period can drain your business resources as it did to a company in the UK that had to eventually shut shop after a disgruntled employee deleted 5,000 documents from its Dropbox account.
- Destruction of property: a malicious insider could cause damage to physical or digital equipment, systems or applications, or even information assets. A former Cisco employee gained unauthorized access to the company’s cloud infrastructure and deleted 456 virtual machines, jeopardizing the access of 16,000 users of Cisco WebEx. The tech company had to spend $2.4M to fix the damage and pay restitution to the affected users.
- Damage to business reputation: should you suffer a breach, investors, partners and clients may immediately lose confidence in your business’s ability to protect personal information, trade secrets or other sensitive data.
User Attributes That Aggravate Internal Threats
The likelihood of a security breach caused by an insider could be significantly increased due to:
- Excessive access provided to several users in the form of unnecessary permissions or admin rights.
- Haphazard allocation of rights to install or delete hardware, software, and users
- Usage of weak login credentials and bad password hygiene practices by the users. Check the article Password or Passphrase? 5 Reasons to Use Passphrase.
- Users that act as a single point of failure since no one keeps their access under check (a phenomenon common with the CEO fraud).
Building a Resilient Defense Against Internal Threats
As a business, you can undertake a list of security measures to build a resilient defense against insider threats as part of a proactive defense strategy rather than a reactive one. Some of the immediate measures you can take include:
- Assessment and audit of your systems: direct your IT team to assess and audit every system, data asset and user to identify insider threats and document them thoroughly for further action.
- Access restrictions and permission controls: not every employee needs to have access to every piece of data. You must review and limit unnecessary user access privileges, permissions and rights.
- Mandatory security awareness training for all users: this is non-negotiable. Every user on your network must be trained thoroughly on cyberthreats, especially insider threats, and on how to spot early warning signs exhibited by potential insider threats such as:
- Downloading or accessing substantial amounts of data,
- Accessing sensitive data not associated with the employee’s job function or unique behavioral profile,
- Raising multiple requests for access to resources not associated with the employee’s job function,
- Attempting to bypass security controls and safeguards,
- Violating corporate policies repeatedly,
- Staying in office during off-hours unnecessarily.
- Strict password policies and procedures: you must repeatedly encourage all users to follow strict password guidelines and ensure optimal password hygiene.
- User authentication: deploy enhanced user authentication methods, such as two-factor authentication (2FA) and multi-factor authentication (MFA), to ensure only the right users access the right data.
- Baseline user behavior: devise and implement a policy to determine ‘baseline’ user behavior related to access and activity, either based on the job function or the user. Do not be counted among the 56%of security teams that lack historical context into user behavior.
- Monitoring to detect anomalies: Put in place a strategy and measures that will identify and detect abnormal/anomalous behaviors or actions based on baseline behaviors and parameters.
Detecting inner threats and building a robust defense strategy against weak points in your own chain can be a tough task for most businesses, irrespective of size. The longer you wait, the greater the chance of a security lapse costing your business dearly.
However, you certainly should not hesitate to ask for help. The right MSP partner can help you assess your current security posture, determine potential insider threats to your business, fortify your cybersecurity infrastructure and secure your business-critical data.
It may seem like a tedious process, but that’s why we’re here to take all the hassle away and ensure your peace of mind remains intact throughout this fight. All you have to do is shoot us an email or give us a call and we’ll take it from there – we can do this as an extension of your own IT Department or as your Managed Service Provider – in either case, we’ll not only make sure your data and your team are secure, but we’ll also bring 20%-30% savings.
Tampa Bay Office: (813) 489-4122 | Washington D.C. Office: (703) 260-1119