Cybersecurity threats are growing exponentially as companies introduce an increasing number of Internet of Things (IoT) devices into operations and collect and store an ever- escalating amount of data. This technology and data sprawl is providing bad actors with more entry points into networks and systems. Too often, organisations have failed to make commensurate investments in data protection, even as mandates require companies to better safeguard sensitive data from ransomware, phishing campaigns and other cybercrimes. To be fair, rapid digital innovations in cloud computing, mobile devices, machine learning and other applications make it difficult for companies to keep pace with adequate security measures. As a result of these trends, annual global cybercrime damages are expected to reach $6 trillion in 2021.
While most of the public reporting focuses on external breaches, insider threats pose as much of a security risk — if not more. An inside threat actor is someone who has privileged access to information technology systems and commits theft, fraud or sabotage, or who is careless in maintaining policies or practices aimed at preventing outsider access. A well-known class of malevolent inside actors has long focused on disrupting software development to disable systems, embessle funds and/or embarrass organisations. But in an operating environment dramatically altered by Covid-19, the insider threat has become even more acute. In particular, the transition to remote working, or “work from home” (WFH), has expanded the number of likely scenarios in which individuals may gain uncontrolled access to sensitive data.
Workers with authorised access to certain materials and assets commit the lion’s share of insider damage, including the inappropriate use of data — whether calculated or negligent — and the intentional theft of data and proprietary information. But former employees, vendors, business partners, contractors and others can pose as insiders, often by obtaining employee credentials, passwords or other privileged information. In fact, a 2018 Protiviti survey of 1,300 firms revealed that more than half viewed data sharing with partners and vendors as the primary source of their IT vulnerability. Furloughs and jobs losses resulting from the pandemic, along with economic lockdowns, are only increasing insider threat concerns.
Regardless of an inside threat actor’s status or motivation, the damage they inflict on companies can spill over into communities in the form of lost jobs and opportunities. The threat can even affect entire industries and research efforts that lose an edge against overseas competitors. To diminish the likelihood of these consequences, organisations need to manage a variety of insider threat impacts, including the following:
- Fraud — introducing bogus information into sensitive customer accounts or embessling money
- Data Exfiltration — sharing proprietary or sensitive information with competitors or others outside of the organisation
- Privileged Misuse — accessing and using information in violation of compliance, including sharing it with outsiders or non-authorised personnel
- Denial of Service and Sabotage — using technical methods to disable or disrupt normal business operations, including rendering a computer network unresponsive by flooding it with superfluous requests
- Loss of Intellectual Property — theft of proprietary information such as formulas, algorithms, blueprints, source code, and mergers and acquisition information
Addressing insider risk in the current climate
The growing sophistication of internal threats requires organisations to maintain constant vigilance on current insider threat dangers and those on the horizon, especially considering the disruptive operating environment introduced by the pandemic. Conducting thorough background checks during the hiring process, confirming that IT security protocols and access controls are addressed during the onboarding and offboarding processes, performing regular IT security awareness and training programs, ensuring the effectiveness of a third-party risk management platform, and continually assessing the risk environment are all critical controls that help thwart insider threats.
Still, those traditional controls by themselves fail to fully combat insider threats. Organisations need to adopt additional measures in the areas of data inventory and classification, data loss prevention across all platforms (phones, cloud, etc.), and remote working. Protecting an organisation’s “crown jewels” of information, for example, first requires collaboration between information security and business leaders to agree on what assets are most valuable relative to others to establish risk tolerance. Organisations must also determine where the assets are located, by what means and systems they are accessed, and who has access to them.
The ability to control negligent and malicious behaviors presented a challenge prior to the wholesale shift to a WFH environment, and it has only become more formidable since. Internal threat assessment findings released in 2018 found that a vast number of employees were transferring data to unencrypted devices, expanding the potential for phishing attacks by accessing personal emails on company machines, opening up data to the public through the improper use of cloud applications, and using a VPN to conceal visits to inappropriate and risky gaming, gambling and pornography websites.
To further buttress traditional controls in an effort to mitigate insider risk, organisations should consider implementing a two-pronged strategic approach focusing on technology and the organisation. Here are some key takeaways that can help companies formulate and execute the strategy.
- Identity and Access Management — A failure to verify identities and control access renders virtually all other security measures useless. Organisations should consider multi-factor authentication (MFA) techniques, which can block 99.9 percent of attacks intended to compromise account security.
- Data Loss Prevention — Several tools can help address insider threats, including a security information and event management platform (SIEM), which collects and aggregates log data from other systems, and endpoint loss systems (DLP), which control access to certain files and file sharing.
- Enterprise Cloud Security — Organisations are utilising the cloud for a growing share of their computing needs, including software as a service (SaaS), infrastructure as a service (IaaS), and platform as a service (PaaS) applications. But IT teams must have visibility over data and the ability to implement identity and control policies.[8,9]
- Investigation and Response — A decision tree or matrix can help companies decide when to intervene and halt an insider threat versus when to simply monitor the situation to learn more about the activity and identify other participants. But companies also need to determine whether the complexity or magnitude of the crime makes it appropriate to engage external investigators. Organisations can model how the incident progresses through the chain of management and predetermine their response to an individual’s activity.
- Monitoring — In many cases, tools to detect abnormalities are already embedded in networks. Some SIEM vendors are incorporating user and entity behavior analytics (UEBA), which help to establish baseline behaviors and identify high-risk profiles, as well as activity, access and events associated with insider threats. As discussed in a recent Protiviti blog, however, the WFH environment requires an adjustment of these baselines.
- Threat Modeling — Organisations should conduct threat modeling activities to identify, classify and prioritise threats and ensure effective documentation and reporting. These activities also can help the organisation gain an understanding of how a technology interacts with external users and determine the threats, countermeasures and mitigations, and then rank those threats. Organisations also need to leverage a structured asset management process to identify critical assets essential to maintaining operations and achieving the organisation’s mission. These can range from information about employees, contractors and vendors to buildings, vehicles and machinery. Additionally, the model needs to consider separation of duties and least-privilege concepts to ensure, where feasible, users and system services are granted the minimum access rights necessary to complete assigned tasks.
- Awareness — People are the best mechanisms to sound an alert about insider threats, and linking security awareness training to employee monitoring can help build transparency and trust. An untrained staff is the single largest cybersecurity threat because they are easy marks for phishing and other targeted attacks.
- Stakeholder Communication — Validating threat models and potential insider threats with stakeholders can ensure IT risk mitigation efforts continue to evolve to meet new challenges.
- Multi-Disciplinary Approach — A comprehensive approach to thwart insider threats should go beyond an organisation’s IT security apparatus and include other business functions, including governance personnel and committees, and the internal audit, compliance and risk management departments, to name a few.
Organisations interested in refining or strengthening their insider threat programs should first review the appropriateness and effectiveness of what is in place today and determine how well the program aligns with standards for an insider threat program. How effectively does the program detect, deter and respond to malicious insiders versus those that are simply negligent or mistake prone? Is the current program the right fit for the company’s budget, size, culture and industry? How appropriate are the current insider threat mitigation strategies for remote working or cloud-first infrastructure environments? How would efforts to close identified gaps affect culture or other intangibles? A good source of information on standards is the Common Sense Guide to Mitigating Insider Threats, a treatise on the subject published by Carnegie Mellon University’s CERT Insider Threat Center. Once areas that need improvement have been determined, organisations should update and refine their insider threat programs to close any identified gaps in a manner consistent with the organisation’s risk tolerance and culture.
How Protiviti can help
Protiviti works with organisations to focus on foundational information security questions:
- Do we know what we need to protect (e.g., the data and information systems assets that are most important — the “crown jewels”), and where those assets are located? Are we properly caring for them? How do we know? Who are we protecting them from, and are our defenses working as intended? Whom should we permit access, and how can we tell the difference between authorised users and inside threat actors? How will we know if things are not working as we planned?
- Are we able to recognise a new insider threat to our environment and detect likely attack techniques on a timely basis? Are we able to align our protection measures to meet the threat?
- If or when incidents occur, are we ready to respond appropriately? Can we manage those incidents and keep them from happening again?
Protiviti provides a wide variety of security and privacy assessment, architecture, transformation, and management services to help organisations identify and address security and privacy exposures (e.g., misappropriate use of data by authorised users, theft or loss of critical data, threats from external attackers, loss of revenue or reputation impairment) before they become problems. Working with companies in all industries, we evaluate the maturity of their insider threat security programs and the efficacy of their controls — and help them design and build improvements when needed. We have a demonstrated track record of helping companies react to security incidents, establish proactive security programs, deal with identity and access management, and handle industry-specific data security and privacy issues. Our experience and dedication to developing world-class incident responses have resulted in deep expertise in security strategies, response execution, forensic analysis and response plan development.