Insider threats: what, why and how

Insider threats make 60% of cyber attacks

Last year, an employee stole huge amounts of confidential data from Tesla, and sold it to unknown third parties. The employee also created false usernames and made code changes to the Tesla Manufacturing Operating System. The sensitive data included confidential photos and videos of Tesla's manufacturing systems and numerous other trade secrets. The employee also spread information in the media to malign Tesla. Therefore CEO Elon Musk was certainly not exaggerating when he said that the employee had created "quite extensive and damaging sabotage" to its operations. Sadly, this is not new. Insider attacks account for a whopping 60% of all cyber attacks. They also cost companies up to $8.76 million a year.

So why aren't more people talking about this? Most of our security measures such as firewalls, antivirus software, and so on are aimed at detecting meddling outsiders. But what about the insiders, the ones who have ready access to sensitive data? Since they wouldn't need to scale firewalls or battle other peripheral security systems, the insider activity can go undetected for months. Insiders may access sensitive data without raising any red flags. Then, there is the question of motive. It is hard to ascertain whether the employee's action was a genuine mistake or if there was a malicious intent. Therefore, understanding employee motivation plays an important role in preventing insider attacks. For that reason, insider threats programs cannot be limited to just erecting technical barriers, but should be a holistic program, which should include ensuring employee welfare and awareness.

Why do insider attacks happen?

Insider attacks can have several reasons. A disgruntled employee who isn't happy with the company might want to exact revenge. A malicious insider might want to sell company information for money. Or, it can simply be a mistake on the part of an employee. Be it inadvertent or malicious, an attack can cost your company dearly.

What can be done to prevent insider attacks?

Every organization should have an insider attack plan that is customized to their needs. For example, in some companies, most employees might need very limited access to perform their jobs. In a call center company, there can be many employees who only need to work with a very limited number of applications. While in a software development company, that will not be the case. Therefore, there cannot be a one-size-fits-all insider threat program.

A good insider threat program should be formalized with a mission statement, and clearly laid out strategies. Here are some things to remember while building an insider threat plan for your organization -

Insider threat program

• Identifying critical assets and controlling access

  • Companies should identify their critical assets and prioritize them. Critical assets are defined as something with potential value to an organization and for which an organization has a responsibility. This can include trade secrets, proprietary software, customer data and so on.
  • The plan should strictly define employee access to all company information and office spaces. This should include, not just monitoring and updating the access control list, but also specifying how sensitive or proprietary information used by employees, can be kept safe. For example, the two-person rule. Experts believe that the incidence of threats reduces significantly when two people are jointly assigned to work with sensitive data. The principle of least privilege (POLP) can also be applied which ensures that employees have access to only those resources and applications that they need to perform their job. Since 74% of data breach is caused due to privileged credential abuse, POLP might be a great way to reduce the risk.

• The insider threat program should be all-seeing and all-knowing

  • The program should focus not just on logging data, but on collating it from different departments and analyzing it. This would help establish baselines for employee and network behavior. For example, this can help detect a disgruntled employee or one that is about to quit. These kinds of employees can potentially become insider threats. An employee who is about to quit and join another company might expect to earn some brownie points with their new company by stealing some valuable data from their ex-employer.
  • This monitoring should not be limited to in-house activities, but also to remote activities. Employees' social media activity also need to be monitored.Spearphishing emails regularly target people who share too much personal information online. While employers cannot regulate that, they can certainly raise awareness on this count. However, organizations can have a social media policy that dictates what employees can share about the organization online.
  • The policies should cover all the employees, regular and contract. It should put trusted business partners under its ambit, because, once there is data exchange between company A and company B, each company's employees also become each other's insiders. For example, if company A outsources any of its activities to company B, it might also have to reveal some of its proprietary software or customer information to company B. Therefore companies should ensure that the safety policies of their trusted business partners are at least as safe as their own.

• Ensure employee welfare and create awareness

  • To avoid issues with a disgruntled employee trading off company information, it is essential to keep your employees happy. Ensure that employees can easily communicate their issues, if any, with the HR or their manager. Reducing employee stress should also be part of the plan as it is intimately connected to employee happiness.
  • Many employees might also consider the insider threat monitoring a violation of their privacy or even a witch hunt. Regular awareness programs can help convince them about the need for the measures taken by the administration. It can also help them stay safe from malicious outsiders who might be looking for insiders who would spill sensitive information inadvertently.

Some reports suggest that insider threats are becoming more common and are becoming even harder to detect due to the general adoption of cloud technology. As newer security threats emerge, a dedicated insider threat program is the least that organizations can do to protect themselves. Following these policies can keep your data safe and your employees happy, and that will probably make your data safer.

Related blogs

 

Change the way you manage security.

Defend against sophisticated threats.

Get started with Log360 UEBA.

© 2020 Zoho Corporation Pvt. Ltd. All rights reserved.