IT security is too often focused on perimeter defenses and technical solutions and overlooks the most dangerous part of security, which are employees. The vast majority of employees are honest people and not rogues. But they are careless in where they click and what they open. Outward facing firewalls work well, so hackers don’t usually try to penetrate those. Their primary attack vector is phishing. This is how hackers have successfully attacked banks, the military, and government. Even the most secure system can be taken down by one careless click.
Everyone can Serve as an Entry Point to Accessing Data
In the past twenty years, almost every employee within an organization has become a computer user. The CEO who once dictated a letter to a secretary is now tapping on the keyboard himself thus providing hackers access to the company’s most carefully guarded secrets. And the CEO and the many people he or she employs knows what hackers would like to know, which is where the most valuable data is kept. So the employee is the on-the-ground spy for the hacker if he or she can be tricked into being an unwitting accomplice.
Companies might have been lulled into a false sense of complacency when they installed anti-malware systems and signed up with a managed services security provider. But those do not tackle the difficult problem of tracking what insiders are doing. The move from proprietary log monitoring SIEM systems, that have been shown not to work, to open source tools, like Elasticsearch, that can better correlate events, has helped. But the final step needed is the connection of an analytics engine tied to an employee behavior tracking software.
Transferring Data is Much Easier
The introduction of the internet has also allowed insiders to more easily transfer data. Imagine stealing all your customer’s data on a floppy - it just wouldn’t work. Today you can download large amounts of data and send them anywhere in seconds. Additionally, the corporate world and the employee’s private world are no longer walled off from each other. According to Joseph Steinberg, CEO of SecureMySocial, which provides technology that warns people if they are oversharing or making other forms of problematic posts on social media,"people have been acclimated to post whatever they do and are thinking on social media. So they might share something they should not. For example, they could be posting corporate insider information by telling all their friends they are getting a bonus, thus telling investors that revenues are up." What seems like innocent excitement turns into sharing insider information.
Hazards on the internet are only a click away as employees browse various un-related sites at work, login to their social media accounts etc. Overzealous attempts to block certain websites have had to be rolled back as employers inadvertently cut off access to tools that employees need. We’ve seen all types of incidents such as employees putting photos on Facebook of their kid’s soccer team and them receiving an e-mail they opened at work that looks like it came from the school soccer team committee. Spearphishing is how the vast majority of hackers get inside an organization. When people click on malware and zero-day exploit links they are going right around all that expensive perimeter security and giving hackers free reign to the network from the inside. Employee monitoring software has evolved to check for this accidental, careless, and malicious clicking, downloading, and copying.
Setting a Strategy for Insider Threat Detection & Prevention
The first step within an organization, should always be education. Most likely, most employees are not aware of spearphishing tactics, the consequences of sending data over insecure web servers or posting about their company on social media, using unapproved applications on organization’s computers and more. Employee monitoring software can help educate users with behavior shaping guidance alerts. For example, sending notifications to users if they log-in to their personal e-mails at work. It is also important to educate employees that some of their public statements outside the office can affect the company’s overall image. Today there is technology to alert employees if they are oversharing or making other problematic social media posts. Reducing social media overexposure can both prevent compliance problems and general information leaks.
However, even with education, employees' personal actions cannot be controlled and unfortunately some employees may have malicious intent. This is why many organizations today find it necessary to deploy software that can monitor employee behavior, which can help asses gaps in security infrastructure, identify high-risk users and in the unfortunate circumstances that data loss or system admin access is changed, quickly identify the culprit.
Any activity that can expose or endanger an organization needs to be identified. There are the basics that we’ve already covered such as sending data via instant messenger or extra access to systems not necessary for someone’s role. However, the basics are just good enough to get started. Every organization has its own unique access points and those need to be identified as quickly as possible. What do we mean? Here’s an example. We have a customer, a large law firm that mainly deals with mergers and acquisitions. One of their employee’s printers wasn’t working, so she decided to send the printing job to another department’s printer. Luckily, our anomaly detection caught that this was an unusual request and stopped the action. Why? Well, if the employee was allowed to send the documents to another department, someone else could have seen them, acquired privileged information, which would most likely lead to a multi million dollar law suit as well as jail time for illegal disclosures.
With Teramind’s employee monitoring software, these type of anomalies are detected, high risk behavior is prevented, and precious experience and knowledge is gained to help organizations protect their data. Once these activities are identified, scores should be assigned to each unwanted action. This way its easy to identify, which users and departments violate the most rules and participate in harmful activities.Now for prevention. Prevention can come in many different forms and administrators decisions for prevention should be proportional to the risk level of the activitiy. Depending on the level of risk of the action, Teramind can notify, block, redirect, log out, or even lock-out the user.