The cyberthreat landscape is continuing to keep pace with new solutions being marketed by today’s cybersecurity vendors. Even though most security products are on top of things (for now), it only takes one missed step for a company to find itself at the end of a costly lawsuit or PR disaster.
Lost in translation of ransomware, DDoS and phishing attacks can be more costly r and even more elusive. You can set up as many firewalls and train your employees against threats emanating from external attacks, but what do you do against those that come from within?
Call them insider threats, malicious insiders or sleeper agents, we can all agree that people with harmful intent and access to sensitive information pose a far greater problem than any cyber security threat.
If you have been worrying about insider threats, then you are not alone. Veratio’s 2018 Insider Threat Survey discovered 56 percent of IT professionals consider regular employees to pose the biggest threat to their company. 86 percent also feel that confidential company data is exposed.
Malicious insiders also continue to make the news, fueling (and justifying) such assumptions. Mercedes had famously sued one of its ex-employees, Benjamin Hoyle, whom they accused of stealing sensitive information and giving it to Ferrari.
Similarly, a partner at a venture capital firm was found to be poaching deals from his old company for almost two years because he had access to the company’s Dropbox account. Each time the company proposed a deal, he had his new employer undercut them by making a better offer.
The case of malicious insiders is perplexing because there are no immediate solutions that come to mind. They can bypass most, if not all security protocols since they possess access rights by virtue of being an employee. They do not have to leave the company to harm it either and can continue siphoning information while still an employee.
Taking defensive measures against employees can also easily fuel organization-wide fear and paranoia where everyone will constantly look over their shoulders and suspect one another, hurting morale and productivity. Obviously, the issue needs to be managed with a certain delivery.
The Many Faces of an Insider Threat
While the disgruntled employee taking revenge for a passed promotion is the typical archetype here, insider threats can come in many forms…
Inadvertent Insiders: Not all threats are intentional. Employees unwittingly committing acts that compromise company data accounted for half the companies worried as per a 2018 insider threat report. Employees that fall into this category generally exhibit compliance and will take due precautions.
Errors committed here are isolated and happen by mistake. These can include connecting unsecured personal devices to a company network, sharing information the person is unaware is classified, opening phishing emails on company-issued devices and/or email accounts as well as browsing websites with malicious content.
People prone to such actions are also targeted by outside agents as they are far easier to “hack” than a company’s IT security measures. Popular MO used by people here include Man in the Middle (MitM) attacks, tricking the target into clicking infected links or attachments and exploiting misconfigured servers.
Insider Collusion: Essentially secret double-agents working within a company, colluders are rare, however, can pose a significant threat to a company’s interests because of their scope of operation. A study by Community Emergency Response Team (CERT) also found collusion to comprise of roughly 48 percent of all insider incidents. These included fraud and intellectual property theft.
Persistent Malicious Insiders: These guys know what they are doing and look out for information that can help them gain financial rewards. Also known as “second streamers”, a persistent malicious insider takes special care to remain undetected and attempt to gain access to high priority segments within a company to maximize their efforts. A Gartner study found second streamers to contribute to 62 percent of all insider threats.
Disgruntled Employees: People dissatisfied with how they are being treated are more than likely to affect reprisals by stealing (classified) information, or taking it with them when moving to a new job. They may also sabotage a company’s interests by either planting false leads or convincing high performing employees to leave. The infamous Morgan Stanley breach where a financial adviser – Galen Marsh managed to upload the information of 350,000 clients online to Pastebin is a good example of how much damage a company’s own employees can cause it.
Combating Insider Threats One Step at a Time
Current insider threat detection and prevention measures such as dragnet, event detection and manual investigation often fall short as they either generate far too many false positives or require an intensive manual study of each case that can take too long to generate any effective leads. Usually, the management gets nowhere while the breaches continue or regular employees end up becoming malicious as they are treated with a “guilty until proven innocent” attitude.
Instead, leading cybersecurity experts propose a three pronged strategy which includes:
- Microsegmentation
- Culture Change
- Prediction
Microsegmentation: Instead of opting for an off-the-shelf insider threat protection strategy, companies should consider understanding their data and how their workforce interacts with it to gain a better idea of where potential risks lie.
A company’s Identity Access Management and HR data can be used to understand which set of employees have access to the most sensitive data assets. Next, employee groups that pose the most threat can be identified so that focussed strategies can be created for them.
Furthermore, network segmentation can also be used to provide incremental security to ensure proper access rights are given as and when needed. While existing on-premise and hybrid cloud ERP solutions do indeed allow for microsegmentation, implementation can get tedious as the solution needs to be tailored to every company’s data set and business interests.
The vast majority of network segmentation strategies create Virtual Local Access Networks (VLAN), each separated by a firewall or router control lists. But VLANs often require 6-10 months to implement properly during which time applications will need to migrate over to their respective VLANs, causing significant downtime.
A better strategy will be to bake microsegmentation into a company’s ERP suite right from the start. Since postmodern ERP solutions can add applications and networks more effortlessly, they make the ideal starting point for a point-defense strategy as well.
Postmodern ERP can leverage software defined networks and virtualized networks to allow for a more granular partitioning of data and traffic. Different policies can be created for every scenario, limiting data and application flow between different environments. They also come with access-right security policies and identity analytics out of the box, which can be tailored to each company’s requirements during implementation.
Culture Change: While most companies are fixed on catching insider threats, a better way will be to address the drivers that cause malicious activity in the first place. Organizations may find that very specific reasons behind certain types of malicious behavior and may have to design strategies targeted to each microsegment.
For instance, negligence can be combated by including security drills and targeted intervention into the cultural fabric of the company. Financial stress, flight risk due to poor management or lack of promotion, lack of appreciation and too much competition are all drivers that can be addressed with a little forethought and planning.
A company can start by conducting satisfaction surveys to hone in on hotspots. If the surveys hint at a malicious trend, then management can create interventions against it. For example, if a company discovers employees in marketing are dissatisfied with their manager because they are being made to work long hours, then they can either rotate the manager out or help him/her delegate tasks better to reduce workload.
Prediction: Managers need to stay ahead of the curve to mitigate insider threats if they are to stop them from manifesting. Much like buyer personas, insider threat personas can be created to study threat types that an organization is most likely to face. Once markers are established and understood, they can be used to take preemptive action against a fermenting threat. Data can be collected from emails, colleague/manager feedback and employee surveys.
Concluding Thoughts
At times, the best defense is a good offense certainly holds true when dealing with malicious insiders. It is well established that it is the human element of a cybersecurity measure that is typically compromised. While modern, cloud-based tools allow greater transparency and segmentation, how a company treats its employees will ultimately dictate whether they turn into an inside threat or not.
SkyOne specializes in creating tailored productivity solutions for modern enterprises using industry leading technologies and standards.The Auto.Sky platform is configured with high-end security procedures and the power of AWS’ hosting infrastructure to keep companies secure from these types of increasing threats. If you are ever interested in finding out more on how the Sky.One Team designs highly protected cloud environments for your customers, please feel free to contact us to schedule a call.