Insider Threats
Ask your average Joe about cyber security and they'll likely talk about external attackers. Hackers in hoodies sitting in a dark room somewhere staring at multiple screens with green 3D objects and random lines of code darting across the screen.
Hollywood has a lot to do with this stereotype.
However, some of the most significant and damaging security incidents occur from insiders, individuals who already have legitimate access to an organisation's systems and data.
What are insider threats?
Simply put it is a security risk posed by an employee, supplier, contractor or any other trusted individual.
These threats range from malicious (think disgruntled employee) or simply a user exposing confidential data through negligence or human error.
Because most security controls are designed to keep attackers out - insider threats often bypass these controls altogether which makes them so dangerous.
Types of insider threats?
As touched upon earlier - there isn't just one type of insider threat.
Malicious insiders
Individuals who intentionally misuse their access for personal gain and sometimes even political or ideological gain.
Stealing customer data
Selling confidential information to competitors
Sabotaging systems or services
Human insiders
It is assumed that employees are humans - for now at least.. but I call this category of insider the human insider because one of the hallmarks of being a human is that we make mistakes even when trying not to.
Clicking on phishing emails
Sending sensitive information to the wrong recipient
Storing company data on personal devices
You get the picture.
Compromised insiders
Often an attacker will attempt to gain access to a legitimate user's account through phishing, malware or credential theft.
When activity appears to be coming from a legitimate source detection becomes more difficult.
Why is this such a big deal?
Again most security controls are deployed to keep malicious actors out.
These threats are different because the individuals will already have access to the data and systems.
Making things even more difficult - the activity will often blend in with normal day-to-day business operations.
An employee downloading company documents could have a perfectly legitimate reason to do so - or this also could be the first sign of data theft.
Reducing the risk
No single solution exists that can eliminate insider threats but organisations can significantly reduce the risk by focusing on a combination of people, processes and technology.
Security awareness training
Strong access controls and least privilege
MFA
User activity monitoring
A key piece of technology in this fight is DLP.
Data Loss Prevention (DLP)
DLP solutions monitor and control the movement of sensitive data within an organisation. They can identify confidential information, alert security teams to suspicious activity and prevent unauthorised transfers via USBs, email and cloud storage etc.
While not a complete solution - a well implemented DLP program can provide visibility into how sensitive information is being used and prevent this data from leaving the organisation without authorisation.
Final Thoughts
The threat posed by insiders remains one of the most challenging risks faced by organisations. Irrespective of the insider the potential impact can be significant.
The key to managing insider threats is recognising that security is about monitoring and protecting what happens within an organisation just as much as it is about keeping attackers out.
