The increase in focus on targeted attacks and large scale data breaches from external threats means it's all too easy for companies to overlook the inside threat that can be hugely costly and disruptive to their business.
Offering unconditional trust to anyone with access to sensitive information will always create potential risks. Complicating this further, today's insider threat can be inadvertent and unintentional, with employee credentials stolen and used by threat actors to commit data theft – unbeknown to either the individual or the company. How do we know who's at risk when the insider threat is also an outsider threat, and the stakes are just as high?
The potential for disastrous reputational and financial losses makes disclosing a breach a risk for organisations, and reported cases are undoubtedly the tip of the iceberg. Furthermore, though many organisations are anxious about data theft, education programmes designed to increase awareness and prevent such losses are often neither a priority, nor effective.
What's at risk?
Fraud, IT sabotage and Intellectual Property (IP) theft are three of the most vulnerable areas for insider crime. IP is particularly attractive as it is secured with basic access controls, yet is highly valuable. Millions of dollars can be lost when an employee sells corporate secrets to a competitor, or when an outsider accesses proprietary information. Whether such loss occurs through forged credentials or what appears to be legitimate access using stolen insider credentials, the damage is the same.
And it's not just multinational corporations that are at risk. Companies of any size can be the target of a current or former employee, contractor, or business partner with the knowledge and skills to cause disruption and damage.
When assessing insider risk, businesses need to consider whether their IP gives them a significant advantage over competitors, the value it represents and the consequences that loss of their IP could have on customers.
How to reduce risk
An effectively designed security programme will help businesses reduce their risk level.
Firstly, it must be focused around the company's most critical data. While a key innovation may be one company's most valuable IP, another's may be customer lists or employee data. Identify what's most important and follow by applying a protection layer that can monitor and alert for unusual or malicious behaviour.
Next, perform an authorisation audit to determine who has access to what, and whether they need it. When people change roles they can often retain access to areas of the network they no longer require, creating a target of opportunity. Ensure that all users have the correct authorisations for the job they're doing to prevent credentials being used unintentionally to access and possibly steal vital data.
Thirdly, run a threat assessment against your organisation from three vectors: insider, unintentional insider, and malicious user. Match your potential vulnerabilities against real world cyber-attacks. In the event of a breach, taking these proactive steps now will go a long way toward the need for fewer reactive steps later.
For a truly successful security programme businesses must create a business coalition or committee to tackle the problem with stakeholders from across the management structure. HR, legal, physical security, data owners and IT must be involved, each with specific tasks. Collectively, this ‘insider threat team' adds urgency and vision for an effective threat programme, including policies, controls, and incident response.
Even the best security tool can only do so much to safeguard an organisation. For a threat programme to be truly successful it must engage and educate employees to ensure they don't inadvertently become part of the problem. This takes time and can be a profound cultural shift. And while it's critical to make employees aware of potential risks, it's equally necessary to do so without creating a culture of paranoia, and rather strive for one of shared responsibility.
HR and individual management, as part of the larger threat team, are integral to making that happen. To prevent data theft, fraud and abuse, employees need be cognisant of interactions, online and otherwise, that could provide opportunities for both malicious and unintentional insider threats.
Because threats change daily, a good security awareness programme should include ongoing education, with curriculum updated regularly for all employees and more frequently for those in IT or with access to critical information.
Addressing the insider threat can seem daunting, but by creating a well-defined approach combining technology and education powered by metrics, your organisation can encourage safer employee behaviour, respond to fewer cyber-security incidents and protect the assets that keep your business running and reputable.
Contributed by Neil Thacker, Information Security & Strategy Officer, Websense