We like to think that all threats come from the outside, that the people who want to perform malice upon us or our organizations are total strangers. Unfortunately, that is just not the case. An uncomfortable statistic comes from the FBI. According to 2011 homicide data, 54.3% of murder victims were killed by someone they knew. On top of that, nearly 25% were killed by a family member. These statistics show that who you know can potentially hurt you.
It is the same story when it comes to cybersecurity incidents. A recent McKinsey study shows that 50% of all breaches involve insider threats. A 2021 Forrester study showed that number at 58%. Gartner says that insider threats enable as much as 75% of all data breaches. An insider threat actor could be anyone from an employee or contractor to a custodian or repair person. We might not want to view these people in that light, but anyone that has approved access to your organization, whether it be physical or virtual, stands as a possible contributor to a security incident. The inconvenient truth is that Insider threats are a more serious threat than you might think.
You Need a Plan
While many cybersecurity incidents can be attributed to insider threats, it does not always mean that these threats are always of malevolent intentions. While there are certainly malicious acts of theft, sabotage, fraud, or espionage that can be conducted by those within any organization, incidents can be induced by simple negligence as well. Examples can include the accidental deletion of critical data, a server misconfiguration that becomes exploitable, or a simple misunderstanding of a technology concerning possible threats.
Regardless of motive, every organization needs an insider threat program to prevent these threats from happening. That begins by engaging your top-level executives and attaining their commitment to the endeavor. An insider threat program that is prioritized and supported by upper management will increase the credibility and sustainability of the program and warrant the allocation of attention and resources to ensure its completion.
Start with a Risk Assessment
You cannot create a protection plan unless you first know the risks you are dealing with. A risk assessment will help you identify areas that may be at risk of an insider threat due to things such as weak access controls, inadequate monitoring, or insufficient security policies. By understanding your most serious risk areas, you can better prioritize your resource allocations and security efforts. Once your risk assessment is complete, you can go about defining the goals and objectives you want your program to achieve.
Establish a Dedicated Team
Your typical inside threat actor is not a hacker. They probably don’t work in or have any connection to internal IT. That is one reason why the creation and implementation of an insider threat program should involve more than just IT personnel. You should establish a cross-functional team of individuals with different perspectives, skills, and expertise. The team should include representatives from departments such as IT, security, legal, human resources, and risk management. For instance, HR should compose a termination process for those that participate in inside threat behavior. The integration of different departmental team members will help better communicate and implement the plan across the organization.
Physical Security and Training
Physical security sometimes gets ignored in cybersecurity discussions as it plays little role in stopping external threat actors. You might have the best remote access systems in the world, but they might not stop an insider from walking into a data center and introducing a malicious script using a thumb drive. This is where security controls such as access badges, biometric authentication, key cards, or man traps come into play. Security controls such as these can ensure that only authorized individuals can enter restricted areas.
Remember that words can have different meanings. Perimeter security as it relates to external threat actors often refers to firewalls and intrusion detection systems. In terms of physical security, perimeter security includes basic things such as a fence, barrier, or security patrol. Video surveillance plays a critical role in monitoring and recording all the various activities within your organization. In some cases, alarm systems should be implemented to alert security personnel or law enforcement of a physical security breach.
Organizations have begun to recognize the importance of security awareness training for their employees. Often this includes educating them about phishing attacks and how to identify them. Training should also include bolstering the awareness of your employee’s physical environment as well. Train them to challenge someone they don’t think should be in a restricted area or report unusual activity.
Insider Threat Tools and Controls
While many of your security controls and tools can be effectively utilized to counter both outside and inside threats, some tools are targeted more towards one or the other. Data loss prevention (DLP) tools can ensure that inside users cannot copy/paste sensitive data or attach a financial document to an email. A DLP solution will not only prevent intentional data exfiltration but also stop the sharing of sensitive data due to a lack of awareness. User behavior and entity analytics (UEBA) uses AI to monitor user behavior and detect anomalies. Whatever tools you use, they must be utilized 24/7 because just like external hackers, insiders will typically perform their threatful actions during times when minimal personnel are present.
Don’t Forget the Backup
Finally, there is that last line of defense, the backup. The backup is the get-out-of-jail card that you turn to when your protection measures failed to work. Whether someone purposely destroyed proprietary data, or someone accidentally deleted an important file, the backup is the magic that brings deleted or damaged data back to life quickly. In addition to a backup system, you need documented data retention policies. These policies will vary by data category.
There is never time to take a breather when it comes to cybersecurity. The moment you do is the moment you become the most vulnerable. Your business can be threatened by strangers you have never met, or counterparts you encounter every day. Having a clearly defined threat program in place makes it a lot easier to systematically protect your assets from both foe and friendly fire.