How to Reduce Insider Security Threats and Protect Data Against Loss
Insider threats are a major concern to businesses, government agencies and other parties who are vulnerable to cyberattacks.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) estimates that insider threat incidents cost victims $130 billion per year, and affect 2 million people on average. CISA is part of the U.S. Department of Homeland Security and looks at the effects of these types of hacking on victims. Their estimates show, for example, that the average out-of-court settlement for businesses found negligent in data breaches is $500,000 with an average jury award of $3 million at trial.
There are multiple components, too, to what insider threats cost a business. Insider threats lead to things like loss of sensitive company and customer data, IP theft, disruption of IT services and of course, financial loss, as well as loss of reputation.
Insider Threats Definition
CERT’s National Insider Threat Center defines an insider threat as “the potential for an individual who has or had authorized access to an organization’s assets to use their assets either maliciously or unintentionally to act in a way that could negatively affect the organization…”
RAND Corporation defines it as similarly, where Ernst & Young instead cites “the threat a current or former employee, contractor, (or) business partner (poses)…” and the U.S. Department of Defense DoD refers to “(cyberattackers) use authorized access, wittingly or unwittingly, to do harm to the security of the United States or classified national security information.”
Simply speaking, in an insider attack, someone inside the company is involved, whether that’s an employee- current or former, a contractor, a vendor, or someone else with inside knowledge.
Advantages Insider Threats Have Over Others
There are some reasons that businesses spend time focusing specifically on insider threats within an organization.
One is that insiders often have better access to sensitive information. In past articles, we’ve outlined how cyber attackers use things like credential stuffing and brute force attacks to get the information they need to infiltrate a network. But an insider will often have an existing legitimate account, and get inside the system that way, expediting the attack.
Another thing that insiders have, in many cases, is a better understanding of systems and sensitive data.
Insiders will tend to know more about what the network is protecting, and how to get at it. They may know more about the cybersecurity that’s in place within a system, too. It’s the digital age equivalent of the employee who knows how to disable site security cameras and where the valuable goods are stored. This is another reason that insider threats are so threatening.
Prominent Insider Threat Examples: How They Happen
These high-level insider threats cost these companies a lot of money. They are some cautionary examples of what happens when sensitive data gets exposed in the ways mentioned above.
General Electric’s Trade Secret Theft
When a former employee stole trade secrets regarding calibrating turbines for power plants, GE’s business was severely impacted as it lost its ability to secure bids.
In 2020, the hackers were convicted and made to pay General Electric $1.4 million in damages, which shows how the court valued GE’s loss of business as a result of the stolen data.
Capital One and AWS
The Capital One banking giant suffered a massive data breach after an AWS employee took advantage of a misconfigured web app firewall, and got access to 100 million customer accounts.
The incident highlighted vulnerabilities businesses face from their vendors with Capital One eventually estimating the damage at $150 million.
Comparitech and the Open Database
In December 2019, we learned that failure to secure a database left 250 million Microsoft records exposed. The reason? A negligent insider.
The company never quantified the damage of this negligent insider threat, but it remains a prominent example of sensitive data being left out on the open web for everyone to see.
Boeing and Recruitment by China
As a sort of ‘retro’ example of a recruitment attack, some experts mention the Boeing debacle, where the Chinese government was reportedly able to recruit an inside employee to get trade secrets from the American aerospace contractor.
There isn’t a lot of information available about the details of the attack, but it’s a stark warning for the lengths threat actors are willing to go to take advantage of those with insider access to sensitive data.
Look For These Potential Insider Threat Indicators
Some threat indicators often help by warning people about what to look out for in heading off potential insider threats.
One aspect is professional stressors that might provoke people to act maliciously toward the organization. Analyzing pay, write-ups and things like retaliation can leave an organization less vulnerable to certain kinds of insider threats, like those conducted by disgruntled employees.
Recognizing behavioral patterns also helps. Deep network tools like User and Entity Behavior Analytics (UEBA) can be helpful in showing what’s normal within a network as a baseline. Then, suspicious events can be flagged for further evaluation, which can prevent or mitigate an insider threat.
There’s also the value of inside intelligence, where coworkers and peers can be the first to spot evidence of an insider threat either happening, or likely to happen.
A “see something, say something” campaign can nip an insider threat in the bud.
How to Reduce Insider Security Threats
Here are some of the best pieces of advice given by government agencies, professional groups and various experts on how to protect networks.
Create a Robust Platform
One overarching principle is to create the kind of program that is likely to be effective against insider threats. Groups like CISA offer phased processes like “Detect and Identify – Assess – Manage.” The NIST offers their own cybersecurity framework (NIST CSF) that is helpful for these types of planning purposes.
Include the Right People in the Right Ways
It’s also helpful to properly delegate work when putting together your cybersecurity program.
Many tasks and responsibilities, ideally, involve point people whose job is to manage aspects of the program. You may also have data governance experts or data stewards who are in the mix to help protect sensitive data sets. You may have a task force internally that’s doing the work to prioritize combating insider threats. While not every organization has the same resources to attack the insider threat problem, the goal is to create a team that’s thinking about this ever-evolving threat and put a focus on your insider threat program to make it as effective as possible.
Go Beyond the Gates of the Network
Yesterday’s network protection systems tended to focus on firewalls and conventional segmentation tools.
But you’re not likely to ward off insider threats this way. As mentioned, insiders often have legitimate credentials and ways of getting deep inside the network. That means that the cybersecurity solutions should be much deeper, too.
Using UEBA and collecting user activity data can help experts to evaluate and spot suspicious behavior that would otherwise happen under the radar.
Another good pillar of a cybersecurity program to combat insider threats involves endpoint monitoring.
Many of these insiders, when they affect their attacks, will use internal endpoints like company workstations or devices with access to a company network. When you’re looking at these endpoints strategically, you can get an early warning of any insider threat that may be in the works.
In the old days, companies often glued shut USB ports so that people couldn’t steal files with a flash drive. Today’s strategies more often include digital surveillance so that hackers can be foiled in real time, in wireless and digital environments.
Identify Assets and Prioritize Risk
Of course, part of good network protection is knowing what data is sensitive, and where it is. Then planners can put in place a comprehensive plan to protect data in use, data at rest and data in transit.
Staying adaptive and changing with the times is part of putting together the best insider threat management program. Things can and will change – as hackers find new ways of attacking and companies find new ways of securing data. Multifactor authentication is one good example – although hackers have just now started to spoof MFA protection, it’s still one of the best practices for keeping out illegitimate users and preventing brute force credential theft.
Focus on Training
Many aspects of a good cybersecurity program involve public awareness and training.
Experts talk about how many insider threats use social engineering to target people as the weakest link in the network architecture.
When a hacker can trick someone into giving up data directly, no network infiltration is necessary. Phishing and social engineering attacks are, sadly, one of the most common attack vectors that companies have to watch out for.
Keep Active with the Program Consistently
It’s all well and good to set up fancy new network protections, but unless they are consistently maintained and implemented, they will fall short of providing the necessary protections. And you can’t plan when an insider will undertake a malicious attack.
Building an Insider Threat Program
Along with everything above, companies should look at their insider threat program from a comprehensive level and figure out whether it is tailored to what the company needs.
Addressing Top Cybersecurity Principles
It helps to keep overarching cybersecurity principles in mind when creating an insider threat program.
One example is a zero trust model, where the default is to lock out unauthenticated users.
Another is the principle of robust authentication where, as mentioned, multi-factor authentication foils a lot of hacking attempts done by brute force attacks.
Another big principle is enforceable policy. In some of the above examples, we see that employees simply didn’t secure data correctly. Enforceable policy provides more of a guarantee that these sorts of deficiencies won’t happen.
Customizing to the Need
Along with those principles, it makes sense to look at a company’s unique architecture and network topology, and match the insider threat program to it. Which databases hold the most sensitive information? Where are web servers vulnerable? Where are firewalls doing important work to protect data at the perimeter?
Going more fully into these types of questions helps fine-tune an insider threat program.
Programs are Preemptive
At a core level, insider threat programs are about preemptive cybersecurity. They benefit from high-tech tools that can observe network behavior, and automation that helps a team do more to protect systems. Looking at the best cutting-edge technology for network protection we can see how security professionals are battling black hats for the future of network security.