The Threat Sitting Next To You: Defending Cyber Insider Attacks
Each year, companies wisely invest in advanced perimeter security devices and software to secure their electronic data and thwart cyber attacks. Unfortunately, despite that well-reasoned approach, the greatest threat to data security may be someone within the organization’s own walls.
An April 23, 2019 privacy notification by the FBI stated that U.S. businesses are reporting a significantly increased amount of data loss as a result of insider threat actors. Typically, those actions are caused by IT administrative professionals or corporate managerial executives who have elevated permission status to data stored on the network. The situation is further complicated by the advance of cloud based technologies and SaaS (software as a service) application structures where file sharing permissions and access configurations can be harder to administer.
Some of the ways in which insiders can illegally steal data or compromise a company’s network include using their administrative access to create fake/hidden admin accounts to use after their departure, installing key loggers or other malware onto company devices, disabling logging or other key functions to hide evidence of their crimes, or preying upon known system or personnel vulnerabilities via social engineering. In each case, potential damages can include loss or destruction of data, disruption of business services or functions, or the compromise and public distribution of personally identifiable information belonging to employees or customers. Importantly, some losses can go undiscovered for years unless the breach is detected at the outset.
What can a company do to best protect itself from cyber insider threats? The first and most critical step is to implement and maintain a mature approach to access management across the organization. Companies should design and implement proven access controls to protect internal resources, in addition to data retention and media disposal polices. Administrative accounts on the network should be audited on a regular basis, most especially before or after major hiring events involving high level IT staff or management executives. Human resources personnel should require documented proof from IT staff that a departing individual’s network access has been removed upon the date of termination. An up-to-date Bring Your Own Device policy, with appropriate enforcement mechanisms, can also help organizations prevent terminated employees from leaving with sensitive information on their personal devices.
Monitoring activity in order to identify potentially suspicious acts is often the biggest differentiator between successful and unsuccessful security approaches. Implementing tools that trigger alerts during unusually large file downloads or uploads to cloud sites along with remote connection sessions well outside typical working hours can be key signs of potential malfeasance. Making sure the company has solid and regular data backup capabilities in place is another way to guard against data destruction.
Employees acting as cyber insider threats usually have one or two primary motivations. The first is often a desire to seek revenge for what they perceive as past slights by their employer. The second is for the same reason criminals throughout history have often acted - for financial profit and/or greed. (These are, of course, in addition to the myriad non-malicious insider threats, such as employees working around security features for convenience or innocent employees losing unencrypted devices.)
Conducting regular cyber assessments, developing effective information security policies and procedures, and educating employees about threats and risks—including the insider threat—are all key elements of a strong information security program that can minimize this risk. Likewise, organizations should consider creating a business continuity management plan to limit any potential disruption. In all cases, maintaining an active and thorough awareness of network activity at all times can be a company’s best defense against the threat potentially sitting in the cubicle right beside you.