The cybersecurity risks that companies are often most concerned about come from external attacks. But at the same time, threats – both accidental and malicious – are being overlooked by their own employees, despite being responsible for 58% of cybersecurity breaches in recent years.
As a result, a large proportion of companies may lack a strategy to address insider risk, leaving them vulnerable to financial, operational and reputational damage.
Understanding the risk
Threats from within have always had the mystique of espionage and spies, but usually that is not the case. On one end of the spectrum you have people who try to access company data and then accidentally share information, or disgruntled employees. And on the other side, you have nation-state actors who could try to gain access to sensitive government and corporate information or disrupt critical national infrastructure.
It’s a delicate issue for companies to address because anyone can intentionally or unintentionally be an insider threat, and a balance must be struck between an organization’s security versus an individual’s personal freedom.
The first obstacle to implementing effective cybersecurity strategies is when the risk is not fully understood. How do you determine what kind of protective controls to put in place to stop potential data exfiltration or disruption when there are so many different motives and methods?
Paul Lewis, CISO, nominated.
Detection, not surveillance
First, a line must be drawn between monitoring employees for possible signs of insider risk and monitoring employees. The latter could have a negative impact on corporate culture and ignores the important balance between security and freedom and existing legal safeguards.
That said, some form of threat mitigation and detection still needs to be in place. A useful tool in the arsenal is web content URL filtering, which blocks malicious websites if, for example, you click on a phishing email, or accidentally visit a malicious website and inadvertently expose your organization to risk. Such technology usually works hand in hand with Data Leakage Prevention (DLP). DLP uses keywords and analytics to search for sensitive data or information, such as credit card numbers or personally identifiable information, and blocks that information from leaving the organization.
Because these types of tools can effectively track browsing behavior, they must be tightly controlled and only a small number of people in an organization should have access to that data. However, this must go through several layers of approval. Business leaders must trust their employees, demonstrate that they do, and use these tools only as a safety net. It is better to try to detect, protect and solve the problem.
Use effective intervention methods
Background checks and vetting are important measures to limit the possibility of an insider threat from the outset. But when it comes to managing an existing team, other methods will need to be explored. For systems and services, for example, audit data and the cyber equivalent of double-entry bookkeeping should be considered.
Organizations that are more mature can use honeypots or canary tokens to trick information on their system that looks sensitive but is fake; If someone gains access to this system or releases information, it can be very easily tracked and, if disrupted, is a good indicator of an insider threat.
Adopting a deterrence strategy is also useful, such as information classification. Systems that store a large amount of sensitive information, data that can be sold or held to use against someone, will be obvious targets for insiders. A protective marking such as “confidential” could entice or deter these individuals because it makes it clear that certain information is important, maintained, and treated with caution. This allows organizations to shield and apply controls to the specific information that is sensitive to them.
Responding to an insider incident
Incident response to insider threats is very similar to other types of data breaches, but with one important caveat. As an employee, they are a trusted person by default. Therefore, they are potentially able to do significantly more damage than an external threat actor because they know the internal workings of the business and their way around potentially complex systems. For example, revoking full access for every employee should be a priority in mitigating the impact of an insider threat when a malicious breach is suspected.
Reporting the incident is ultimately the same type of process, but the way organizations initially approach the individual will differ from that of third parties. In these circumstances, it is especially important to have irrefutable evidence, as accusing someone who is innocent can also cause significant damage to a company and to the individual.
Insider threats are all too often in companies’ blind spots. But focusing exclusively on external threats – perhaps in favor of avoiding tensions or perceptions of mistrust in the workplace – leaves organizations and their employees vulnerable to the real threat posed by insiders, often greater than the threat posed by external actors . It is a critical part of any robust cyber strategy and should not be overlooked.
We’ve listed the best identity management software.
This article was produced as part of Ny BreakingPro’s Expert Insights channel, where we profile the best and brightest minds in today’s technology industry. The views expressed here are those of the author and are not necessarily those of Ny BreakingPro or Future plc. If you are interested in contributing, you can read more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro