The Threat Within - Part 1: Identifying and Minimizing Vulnerabilities

When you hear about a successful cyber breach, you tend to assume it was perpetrated by malicious outsiders – but that’s an erroneous conclusion. Almost half of enterprises are actually more concerned about internal than external threats. As a point of fact, one out of every three enterprises suffered through an insider cybersecurity attack within the last year, according to a recent survey. Given this, it’s not surprising that three out of every four enterprises (74%) feels vulnerable to insider threats.

Chief concerns of security pros: employees will install malware (73%); employee credentials will be stolen or compromised (66%); and employees themselves will steal data (65%) or abuse administrative privileges (63%).

Yet it’s important to realize these concerns are not necessarily malicious activities. Only 13% of enterprises believe that insiders are out to deliberately harm them.

This means that training and awareness is key to helping your employees help themselves to follow better security practices. Whether due to negligence, maliciousness or employees just not understanding security protocols, the consequences of an insider threat can be dire.

This article will review nine actions you can take that will help you work with employees to protect your company from internal threats.

1. Identify and protect your most important digital assets. These assets include proprietary software, customer data, business plans, employee data, financial information, schematics and even manufacturing processes. You must closely guard this data – both when it is being stored and transmitted. Ask yourself the following questions:

  • What critical assets do we possess?
  • How do we prioritize our list of critical assets?
  • Are we capable of investing in the authority, money, and resources necessary to effectively monitor critical assets?

Once these questions are answered, you can start taking action to protect your critical assets from internal risks.

2. Create, document and enforce employee security policies. When you craft your employee security policies, make sure to document them precisely and continuously broadcast a clear message to all employees. For example:

  • Never download files from unknown senders
  • Even if you know the person who sent a file, if you weren’t expecting one, call – don’t email – to confirm
  • Never click on links in the bodies of emails – always look up the address of companies (especially financial institutions) independently
  • Change your password every month
  • Never leave your screen unlocked and unattended

3. Create especially stringent access controls and monitoring policies on so-called “privileged” users. System administrators and privileged users possess broader access to systems, networks, or applications than other employees. They have the power to do more damage because they have the authority to do things ordinary employees cannot, such as log in as other users, modify system log files or falsify audit logs and monitoring reports. According to research by the CERT Insider Threat Center at Carnegie-Mellon University, most insiders who sabotaged or stole data held technical positions within the organization.

4. Deploy strict password policies. By mandating strict password practices, you can prevent insiders from compromising accounts. Passwords should be at least eight characters long (preferably 12) and contain at least one capital letter, numeral, and special character, and should not be found in the dictionary. Automatically reject passwords that don’t pass a certain threshold to ensure their strength. Require employees to change their passwords at least once a month. These passwords should lock their screens if they happen to move away from them and automatically deploy password-protected screen savers after a fixed period of inactivity.

5. Prevent unauthorized data downloads and transfers. It is vital to identify where your digital assets might be vulnerable to employees taking, copying, deleting or destroying data. Employees can do this in several ways such as through USB flash drives, cloud-based filing sharing, printing and email attachments. To reduce the risk of an insider compromising sensitive information, you must first map out exactly how data can leave your systems. Once you know that, you can begin formulating protections against it happening, which will require a mix of technology updates, training courses and cultural changes. For example, you should employ the practice of “least privilege” on the network, only allowing employees to see what they have to see, and no more. Or, you can deploy rights management software that makes it impossible to copy, download or send files. There are also ways to discourage employees from using removable storage devices (like USB drives) to download data. Although it’s a complex process that requires a multifaceted approach, it will be worth it in the end for your business.

6. Monitor and control remote access from all network endpoints, especially mobile devices. Many organizations are changing their operational models to create truly mobile workforces. This opens up many opportunities for insiders to either accidentally or maliciously expose systems or data. Again, the vast majority of them would not be doing this maliciously. They probably just want to take work home for the evening, or collaborate with colleagues more easily. However, you have to be aware of potential threats that remote and mobile technologies pose to your security.

7. Ensure that you consider the “extended enterprise” when doing your risk assessments. Remember, you’re only as safe as your weakest link. If you have a partner or supplier that is not practicing safe security, your insider threat vulnerabilities skyrocket. Many firms are beginning to ask that partners provide proof through rigorous security audits that they are safe to do business with.

Make sure to include all trusted third parties, service providers and partners – anyone authorized to access your system. After all, the massive Target breach was the result of a phishing attack that compromised an unsuspecting employee of a third-party HVAC supplier.

8. Teach your employees to be especially careful about social media. You’d be surprised at how much information people share about themselves and their work on social platforms. How does this sharing affect your business’ security? Since social media sites can be used to determine who works at a particular company, spearphishers use this information to create narrowly targeted and seemingly authentic email attacks against organizations.

9. Train your employees appropriately. If your employees don’t understand your security guidelines, the battle is already lost. You should provide regular security training that explains how they can unintentionally do harm and how to act in ways that protect the organization.

Insider threats pose increasingly high risks to organizations of all sizes across all industries. But if you follow this nine-point plan, you can minimize the risk.

For more information on how to train your employees on security risks, check out part 2 of our Threat Within Series