It is hard to find the enemy within than the enemy around

Sumeet Mathur, Vice President, Cybersecurity, CA Technologies

In today’s world, the most damaging security threats are from insider threats. An insider threat is a threat that originates from an individual within the organization—an employee, contractor or business partner.

This threat could be intentional—the malicious insider who wants to steal data for profit or wreak havoc for personal reasons. The threat could also be accidental—a user mistakenly deleting data or causing harm to IT systems. The accidental insider could also have their credentials compromised, thereby giving access to network resources to an external actor.

90% of organizations report being feeling vulnerable to insider threats as per the recently released 2018 Insider Threat Report¹. Contrary to popular wisdom, Two-thirds of organizations (66%) consider malicious insider attacks or accidental breaches more likely than external attacks.

With Data being considered as the new Oil, it is no longer just an IT asset; it’s a core strategic asset, and some types of data are more valuable than others. Confidential business information, which encompasses company financials along with customer and employee data, is a highly strategic asset and equally a high-value target.

It is not surprising that confidential business information (57%) takes the top spot as most vulnerable to insider attacks, followed by the privileged account information (52%), and sensitive personal information (49%).

Cybercriminals see a greater opportunity in targeting where corporate data is located in volume. Hence, Databases (50%) and corporate file servers (46%) pose the highest risk while mobile devices are perceived as a lesser target and least vulnerable (25%).

The most common culprit of the insider threat is accidental exposure by employees. Cybersecurity experts view phishing attempts (67%) as the biggest vulnerability for accidental insider threats. Phishing attacks trick employees into sharing sensitive company information by posing as a legitimate business or trusted contact, and they often contain malware attachments or hyperlinks to compromised websites.

The main enabling risk factors reported by businesses for insider threats include too many users with excessive access privileges (37%), an increasing number of devices with access to sensitive data (36%), and the increasing complexity of information technology (35%).

In the past, IT organizations only worried about securing the perimeter and guarding against the external threats. However, Insider threats present another layer of complexity for IT professionals to manage, requiring careful planning with regards to access controls, user permissions and monitoring user actions.

An organization’s control framework is the set of safeguards, separation of duties and recommended actions for IT professionals to use to minimize security risks and exposure. To avert insider threats, organizations are deploying multiple deterrence controls including Data Loss Prevention (DLP) (60%), encryption of data (at rest, in motion, in use) (60%), Identity and Access Management (IAM) controls (56%) and endpoint & mobile security (50%).

While deterrence controls are good preventive mechanisms, there are numerous methods and security tools available to help cybersecurity professionals detect and analyze insider attacks once they happen. Most businesses, today, use more than one security tool in their organization.

By merging and analyzing these disparate sources, organizations are better able to deal with security breaches. Most insider exploits are detected through Intrusion Detection and Prevention (IDS/IPS) (63%), Log Management (62%) and Security Information and Event Management (SIEM) (51%) tools.

Identification, tracking and monitoring of key assets and system resources can help avert or limit an organization’s exposure to insider attacks. When security professionals manage and monitor their key assets, they are able to react faster and with more precision to mitigate incidents.

The increasing volume of insider threats has caused cybersecurity professionals to take more action and deploy User Behavior Analytics(UBA) tools and solutions to help detect, classify and alert anomalous behaviour. The number of organizations monitoring their user behaviour has increased significantly compared to last year (94% this year compared to 42% last year). The number of organizations that don't monitor their users dropped from 21% last year to only six percent this year.

The reality is that not all insider threats are malicious; some are the result of an honest mistake or careless employee behaviour. Monitoring allows cybersecurity professionals to decrease their risk exposure by quickly detecting unusual employee system activity. Identification of high-risk insiders is a key part of a threat prevention strategy.

One way to identify these individuals is to profile their behaviour and work patterns. Hostility towards other employees, late or excessive missing work, undue work outside normal work hours, and declining performance are just some of the indicators. Most organizations strongly believe it is necessary to identify high-risk insiders based on their behaviours (88%).

Detecting and preventing insider attacks is much more challenging than external breaches, as they are users with legitimate access that unwittingly create vulnerabilities or intend to maliciously exploit an organization’s cyber assets. The best practices for averting insider threat include:

• Preventing data breaches by vaulting administrative credentials and controlling privileged user access
• Preventing unauthorized access through multi-factor authentication credentials and login restrictions. Detecting abnormal behaviours.
• Limiting privileged escalation through command and socket filtering; zero-trust, permit-by exception policies; and proactive policy enforcement.
• Monitoring, analyzing, recording and auditing privileged user behaviour and activities, integrating with SIEM and IDM to certify privileged user access.

At the end of the day, as Kevin Mitnick puts it(the famous American computer security consultant, author and hacker) – “A company can spend hundreds of thousands of dollars on firewalls, intrusion detection systems and encryption and other security technologies, but if an attacker can call one trusted person within the company, and that person complies, and if the attacker gets in, then all that money spent on technology is essentially wasted.”

While every business is relying on software and data to compete in this increasingly digital world, it is critical that organizations understand who is assessing their applications, systems, resources & data – a Friend or a Foe?