Data security breaches can be devastating in terms of cost and reputation so efforts are rightly directed at protecting the perimeter of an organisation's IT systems from unauthorised intruders. However, the threat within is harder to guard against.
A recent survey by the SANS Institute confirmed that the insider threat is a key concern for security professionals. Yet, of the 770 businesses polled, 32 percent had no systems in place to protect against insider attacks, around half struggled to estimate the damage from such an attack, while 44 percent didn't know how much they spent on preventing insider threats.
Spotting security incidents from within is difficult because the attacker may have legitimate access. If the credentials being input are valid, the same alarms are not raised as when an unauthorised user attempts entry. There is a line to be drawn between allowing employees access to information they need and implementing an effective lock-down of sensitive data. Alongside enabling innovation and productivity, every company has to deal with the insider threat.
The truth is, it's not just an IT matter, they really just provide the tools. It's down to the C-suite, managers, HR, Legal and IT to work together to empower and engage employees on the subject. Trust is key; there needs to be an atmosphere in which management can take advice they don't necessarily want to hear and in which employees can speak up without fear.
Here are the top five ways to protect your organisation from insider threats.
Conventional screening methods struggle to detect unauthorised use of information that has been accessed 'legitimately.' However, the signs of an insider threat are often there before a breach occurs. Behavioural changes should act as a red flag – is an employee accessing data at odd times? Other suspicious activity might include an employee complaining more, being less cooperative and taking an interest outside the scope of their responsibilities. Those working around him/ her are the most likely to notice something is amiss, so having communication channels in place for reporting concerns is important.
Employees need to understand the company reserves the right to monitor activity on company-provided equipment and networks. A clear Acceptable Use Policy takes the guesswork out of what is appropriate use. Once the policy is in place, employees need to be educated, trained and agree to it. This will foster a sense of engagement and accountability with the workforce.
The Acceptable Use Policy needs to be an ethos to live and work by, not an episode of form-filling that gets forgotten. Ongoing training will highlight how seriously the organisation takes data protection and will act as a deterrent.
When an employee leaves the company, this should automatically set off a series of security measures. Disgruntled employees are a key source of security breaches. Even if the parting is amicable, employees leaving may be tempted to take information with them. When an employee leaves, immediately terminate all related accounts. Remove employees from all access lists, and ensure they return all access tokens and any other means of secure access.
Finally, remind the departing of their legal responsibilities to keep data confidential.
Ensure the right levels of protection exist for sensitive data and revisit access lists often. Passwords, multi-factor authentication and encryption should all be used depending on the sensitivity of the information. These security measures need to be teamed with regular reviews of employee access privileges. Access rights should operate on the basis of ‘least privilege' - grant access to systems, applications and data based on the position's minimum requirements. Additional access can always be granted.
Guarding against insider attacks is a balancing act. You need to maintain a happy, productive workforce but not an 'anything goes' attitude. Technology solutions can set the parameters for access privileges but this is only one part of the solution. Employees need to know what constitutes acceptable information sharing and know how to sound the alert if something is amiss.
Contributed by Salo Fajer, CTO, Digital Guardian