Underestimating the dangers within: mitigating the insider cyber threat

(Image credit: iStock)

The cybersecurity risks that businesses are often most concerned about come from external attacks. But at the same time, threats – both by accident or with malicious intent – by their own employees are overlooked, despite accounting for 58% of cybersecurity breaches in recent years.

As a result, a large proportion of businesses may lack any strategy to address insider risks, leaving them vulnerable to financial, operational and reputational harm.

Understanding the risk

Insider threat has always had the mystique of espionage and spies – but usually it’s nothing of the sort. At one end of the spectrum, you’ve got people who are trying to get access to company data and then accidentally share information, or disgruntled employees. And on the other end, you have nation state actors who could be attempting to access sensitive information from government and corporations or disrupt critical national infrastructure.

It’s a delicate issue for businesses to tackle, because anybody could intentionally or unintentionally be an insider threat, and a balance must be found between the security of an organization versus the personal liberty of an individual.

The first obstacle to implementing effective cybersecurity strategies is when the risk at hand is not fully understood. How do you determine what kind of protective controls you put into place to stop the potential exfiltration of data or disruption when there are so many different motives and methods?

Paul Lewis, CISO, Nominet.

Detection, not surveillance

Firstly, a line should be drawn between employee monitoring for possible signs of insider risk and employee surveillance. The latter could have a negative impact on company culture, and ignores the important balance between security and liberty and the legal safeguards that exist.

That being said, some form of threat mitigation and detection should still be in place. One useful tool in the armory is web content URL filtering that blocks malicious websites, for example if you click on a phishing email, or accidentally visit a malicious website and inadvertently open your organization to risk. Technology like this typically works hand in hand with Data Leakage Prevention (DLP). DLP uses keywords and analytics to look for data or information that is sensitive, such as credit card numbers or personally identifiable information and blocks that information leaving the organization.

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Because these types of tools can effectively track browsing habits, they must be tightly controlled and only a small number of people in an organization should have access to that data. Even so, that must go through multiple layers of approval. Business leaders must trust their employees, demonstrate that they do, and only use these tools as safety nets. It’s better to try and detect, protect, and solve the problem.

Put effective intervention methods to use

Background checks and vetting are important measures for mitigating the possibility of an insider threat from the very outset. But when it comes to managing an existing team, other methods will have to be explored. For systems and services, audit records and the cyber equivalent of double entry book-keeping should be considered, for instance.

Organizations that are more mature may use honeypots or canary tokens to decoy information on their system that looks sensitive but is fake; if anybody accesses this system or releases information, it can be tracked very easily and, if disturbed, is a good indicator of an insider threat.

Adopting a deterrence strategy is also useful, such as information classification. Systems with a large amount of sensitive information stored in them, data that could be sold or retained to use against someone, are going to be clear targets for insiders. A protective marking on it, such as “confidential”, could either entice or deter these individuals, as it makes clear that certain information is important, tracked and handled cautiously. This allows organizations to ring fence and apply controls to the specific information that is sensitive to them.

Responding to an insider incident

Incident response to insider threats is very similar to other types of data breaches, but with one significant caveat. As an employee they are by default a trusted individual. Therefore, they are potentially able to do significantly more damage than an external threat actor as they know the internal workings of the company and their way around potentially complex systems. Revoking complete access for any employee, for instance, should be a matter of priority when trying to mitigate the impact of any insider threat when suspected of carrying out a malicious breach.

Reporting the incident is ultimately the same type of process, but the way organizations initially approach the individual will differ from third-party actors. It’s especially important, in these circumstances, to have irrefutable evidence, as accusing somebody who is innocent could also cause significant damage to a business and the individual.

Insider threats too often sit in the blind spot of businesses. But by focusing on external threats exclusively – perhaps in favour of avoiding tension or perceptions of mistrust in the workplace – organisations and their employees are left vulnerable to the genuine threat insiders pose, often greater than the threat posed by third-party actors. It is a crucial element of any robust cyber strategy, and not to be overlooked.

We’ve listed the best identity management software.

This article was produced as part of TechRadarPro’s Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro

Paul Lewis, CISO, Nominet.