10 Aug The Insider Threat – what it is and how to deal with it
As if it wasn’t enough to have to defend from industrial spies, nation states, and script kiddies residing outside your network, one of the biggest threats to our information assets resides within our own environments. The insider threat, intentional or otherwise, is now one of the major concerns in cybersecurity, and with good cause. Within many organizations these days, users have more access to data than they need, cloud storage services have created a phenomenon called Shadow IT, permitting users to save potentially confidential data to the cloud for future access, and with the (understandable) requirement of user-friendliness throughout IT assets, security controls are often disabled rather than tuned. While the insider threat can be a pain in the backside, there are ways to protect yourself and keep your users happy simultaneously.
What is the insider threat?
In order to properly defend yourself, you need to understand what you’re up against. The insider threat comes in many forms, but you can narrow them down into either malicious/intentional threats, or threats that stem from carelessness or lack of knowledge and skill within your workforce. You may have a user that thinks it’s okay to throw the classified document that they were editing up onto their favourite cloud storage platform so that they can access it later. One of your users may provide their credentials to a malicious third-party after being subject to a social engineering attack. You may have a malicious insider who is looking to steal or destroy data because they are disgruntled or under the employ of a competing organization. In the world of startups and small businesses, security controls can sometimes be sacrificed to allow for speed of delivery, lack of knowledge, or user satisfaction. Now that you better understand the threat, we can help you get a handle on the situation.
Defense #1: Create Enforceable Policies
Good documentation makes a good cybersecurity practice, and policies are a staple in said documentation. Policies back up your decisions, provide guidance for your cybersecurity controls, and give you a base for user education. Acceptable use, privacy, and mobile computing are three base policies that should exist in most organizations. The policies exist to provide the following:
- Acceptable use policy puts parameters around how your assets can be used. Are your users allowed to store company data in cloud storage? Are USB drives allowed for backup purposes? These answers and others should reside in this policy.
- Mobile computing policy lays out rules for mobile access to company resources. Do your employees take laptops home? How do they access company data remotely? Are there specific rules required for travel to high-risk countries? Mobile phones; are they provided by the organization or do you live in a BYOD world? All of these mobile devices access your organization’s resources, your mobile computing policy dictates how.
Once you have a base set of policies in place, your next step is to educate your users about their existence, and what it means to them.
Defense #2: User Awareness Education
A user’s misunderstanding of technology or trusting nature can lead to potentially unwanted situations. Data loss, malware infection, and unauthorized access are just three of the potential threats you face when your users carry on with their business without proper security awareness education.
Facilitating user awareness training is pretty straight-forward in theory, although not always easy to execute. Initially, you will need to provide live training; in person if you have a small team in a central location, or online via webinar if your team is larger and decentralized. Some of the topics you will want to cover will be:
- Existing security policies: how to adhere to their rules for better protection of organizational assets
- Phishing email: what to look out for, and how to examine messages for authenticity or malicious content, such as macros
- Malware handling: what to do (and who to call) should you get infected
Since your users are generally prime targets for attackers skilled and not so skilled, providing proper education for them can help shore up your defenses and help you mitigate the insider threat. Keep in mind that your users may forget, so you need to ensure that you keep refreshing your users’ memories! Quarterly or semi-annual training wouldn’t go amiss.
Defense #3: Implement and maintain cybersecurity controls
Along with enforceable policies and educated users, you still need to maintain technical cybersecurity controls within your environment. Users forget elements of training, malicious users ignore policy, and accidents happen. Here are a few examples of controls you can use to help ensure that your users are adhering to policy and best practices:
- Endpoint data loss protection (DLP) provides functionality to disable USB storage and block data transfers to cloud services. If you do implement this technology, make sure that you keep the policies relevant and up to date.
- Endpoint malware detection has made some significant progress since the old, signature-based days. With new features such as containerization to help stop malware from executing, implementing this type of control can go a long way to helping prevent accidental launch of malicious executables. The drawback? This type of technology may require a lot of tuning to ensure that your users can still do their work.
- User behaviour analysis can provide valuable insights into what your users are up to, whether they are adhering to policy, and if they are attempting to pilfer data or otherwise harm your organization’s assets. The upside of these types of tools is that they are relatively low maintenance. The downside is that these solutions can be a bit pricey for small businesses, but worth it if they can be afforded.
Providing basic cybersecurity controls can go a long way toward mitigating insider threats in your organization. Although you will need to ensure that you’re maintaining your controls, monitoring and logging their output, and using your policies to derive standards by which they should be configured.
While the insider threat can be a plague to modern organizations, whether large or small, it is not an insurmountable obstacle. By creating policies (not too stringent) that add parameters within which your organization can run securely, providing regular training to your users to help keep them sharp, and adding some technological controls on top to provide backup when your users slip up, you can go a long way toward mitigation.