Insider threat does not have to be malicious, so how do you protect your organization?
In this interview with Help Net Security, Laura Hoffner, Chief of Staff at Concentric, talks about the causes of insider threat attacks and what companies can do to mitigate or even avoid them.
In these particularly tumultuous times, when organizations are not really sure what the working arrangements will be, insider threats have become the issue to look out for. What is making businesses increasingly vulnerable to them?
First, “insider threat” doesn’t necessarily mean that an employee is purposefully acting maliciously. Haphazard or accidental activities can still result in equally grave threats from the “inside”.
Right now, the working from home model is the most dangerous for insider threat monitoring. While in the office, your IT professional can ensure network security through VPN usage, monitoring of suspicious activity such as mass downloads or unauthorized website access, and even through the act of deterrence through observance. At home, however, employees are encouraged but can’t be required to follow those same stringent protocols.
Additionally, the continually increasing lure of ransomware attacks is threatening businesses from inside and out. The vast majority of these ransomware attacks are as a result of negligent actions taken by employees such as interacting with phishing emails or other unintentional but negligent security protocol. This is as a result of lack of training, lack of due diligence, or just laziness. No matter the intent, the result can be catastrophic for the organization.
What can businesses do to successfully identify insider threats?
There are two aspects to what organizations can do: prevention and response. In prevention, you are attempting to ID employees who are high threat before they are able to act on an insider vulnerability. There are many ways to do this, training being of the utmost importance. Not only will the training educate all of the employees as to the threat, but your most likely opportunity for someone to identify a potential insider threat is through another employee.
The overused-yet-still-relevant adage of “see something, say something” is very true when it comes to insider threat. Other opportunities to prevent could be in regular background investigations on employees or social media sweeps. Cyber monitoring and locked down access to documents based on “need to know” is an excellent baseline of defense.
Finally, HR can closely monitor PTO used, any concerns highlighted from other employees, any reports of erratic/outside of normal behavior, or even monitor access to the office at abnormal times. Post-mortem analysis of “successful” insider threat attacks identify at least 2 warning signs that could have indicated the intent, had the organization been able to piece them together.
When it comes to response, the company has to have a protocol in place that can be implemented immediately. A small notification group should be identified to whom these observations or alerts can be reported. The summation of multiple “red flags” or the identification of a malicious attack should be reported to the highest chain of command. Upon identification of suspicious behavior and validation by senior leadership, IT and HR need to act immediately to remove physical and digital access to the employee. Once removed, a full investigation needs to be conducted into what information was-or even could have-been accessed or leaked, to whom, and what the damage would be.
What could be the blind spots when it comes to insider threats?
Believing that these insider threats are only done by malicious employees with vendettas. While those cases are to be monitored closely, ultimately, the same amount of damage can be done by your most loyal employee that clicks on a link haphazardly.
What can businesses do to increase employee awareness?
Education! Conduct quarterly training, at least, using real-life examples of insider threat investigations and their findings. Conduct random phishing exercises to show employees how legitimate some of these emails seem. Instead of a “death-by-powerpoint” engage your audience by showing what is at stake for your organization specifically and how seriously you are taking the threat.
Could there be a specific prevention method?
If only there could be one! This is innately why insider threat is such a significant thorn in any organizations’ side: the vulnerabilities and methods of exploitation are too numerous and diverse to rely on just one specific method. Insider threat requires the entire organization to be on the lookout, and a climate that encourages, enables, and responds to any report therein.