An insider threat is a cyber security risk that originates from within any organization that is being targeted by attackers. Often, insider threats involve a current or former employee, or business associate, who has access to sensitive information or privileged accounts, and who misuses this access. Sometimes it is an outside attacker who gains credentialed access and waits for the right time to strike. In both cases, traditional security measures tend to focus on external threats and are not always capable of identifying an internal threat from inside the organization.
A paper written by Forrester Research in late 2021, Insider Threats Drive Data Protection Improvements, revealed that 58 percent of sensitive data security incidents are caused by insider threats. This report highlighted that nearly a third (31 percent) of firms surveyed do not believe insiders are a substantial threat, and suggests this is a principal reason why insider threats make up such a high proportion of security incidents.
While company leadership teams acknowledge that insider threats pose some risks, they don’t generate the level of urgency required to manage this risk effectively. This failure has a cascading effect; fewer than 30 percent of firms surveyed say they have an insider risk management strategy or policy. It is understandable that many organizations focus on perimeter and endpoint, first. Strong network and endpoint security, combined with vulnerability management lifecycle toolsets and a mature security operations center, are key to reducing overall risk. However, with insider events occurring more often than external, according to the report (58 percent vs. 41 percent), a more effective data security strategy vis-a-vis insider threats is needed.
There are steps organizations can take immediately that will mitigate some of the risk posed by insider threats. Some are straightforward, others will require some planning (not to mention board, team, and/or departmental buy-in). Take this five-question test to find out how well you currently manage insider threats.
1. Do you use multi-factor authentication (MFA)?
Multi-factor authentication cross-verifies privileged users with two different forms of identification, usually knowledge of an email address and proof of ownership of a mobile phone. Used in addition to regular username/password verification, MFA makes it much harder for outside cyber attackers to gain the access required to become insider threats, even if they get past the first authentication step through brute forcing a username and password. Many insider threats, the ones that create the most damage, start as outsiders. Microsoft reports that MFA can block over 99.9 percent of account compromise attacks. MFA is commonly employed in online banking websites, social media platforms, and e-commerce sites, as a way to harden the access controls of the more sensitive areas of a web application (e.g., admin panels or areas that store credit details and/or personal data).
2. Do you enforce a current privileged user policy and regularly audit user privileges?
The principle of least privilege is a critical, time-tested, and relatively easy-to-implement cybersecurity best practice. In simple terms, it means a user should have no more access to data and systems than is necessary to do their work. As people leave organizations and are replaced, jobs are restructured, and organizations must constantly review permissions to access data. Always knowing who has access to sensitive information, reducing permissions to the minimum required, can help stop insider threats.
3. Do you regularly run phishing attack simulations to ensure your colleagues are trained to look for signs of fraud?
The “careless insider” is an innocent pawn who unknowingly exposes sensitive data and applications to outside threats. The most common type of insider threat is the result of innocent mistakes, such as leaving a device exposed or falling victim to a scam. Employees who intend no harm frequently fall victim to phishing scams and may click on an insecure link that could potentially infect the system with malware. Security teams can mitigate this threat by constantly training people to recognize phishing scams and report them. “Phishing” for the careless insider has been around for a long time, but with changes in operations and more employees working outside the security perimeter, the impact of careless insiders has grown.
4. Do you enforce your security policy controls in your cloud-managed data repositories?
Gartner predicts that cloud-native platforms will serve as the foundation for more than 95 percent of new digital initiatives by 2025, and Crowd Research Partners reports that 84 percent of enterprises say traditional security solutions don’t work in cloud environments. Applying security policies and effectively detecting policy-violating behavior in cloud architectures is difficult. If organizations don’t have complete visibility into their cloud-managed environments, the risk of breaches due to insider threats increases dramatically. All cloud-managed infrastructures are unique, with their own configurations and APIs. Best practice, when trying to gain visibility and secure sensitive cloud data from insider threats, is to work with cloud security experts to chart an effective path forward.
5. Do you use an analytics tool to study past insider threats and build profiles to define unusual user activities?
The most damaging insider threat is known as the Resident insider. The Resident will penetrate an organization’s network and stay as an insider for months, sometimes years. They use keyloggers, sniffers, and other methods to steal credentials and compromise databases, using “Slow & Low” and other methods to stay undetected. Since the Resident is playing the “long game,” the best way to mitigate the risk they represent to data is to play the long game with them. First, make sure that your privileged users are changing passwords frequently. Second, use a solution that employs machine learning to do a rigorous analysis of anomalous behavior in rooting out malicious insider activity. Machine learning algorithms can baseline typical access for the privileged user and create alerts on deviations from that behavior, as well as keep a “book” of profiles that past Resident insiders used to breach data.
If you answered “no” to any of these five questions, you have room to improve, and should make insider threat mitigation a bigger part of your data-centric security strategy.
Try Imperva for Free
Protect your business for 30 days on Imperva.