You can't eliminate the threat of insiders, but you can prevent the damage

However, many chief information security officers (CISOs) are equally concerned about bad actors closer to home: their own employees, who don’t necessarily need advanced security skills to cause damage.

While insider threats are not new, several recent developments have made them more of a problem. For one, the pandemic-induced surge in remote working and the trend toward increased employee turnover have made identifying and mitigating insider threats more difficult. Growing geopolitical instability can add fuel to the fire. To make matters worse, ransomware gangs have reportedly offered large bribes to prominent employees within target organisations to gain access to corporate networks.

The threat has grown so large that the Australian Security Intelligence Organisation (ASIO) anticipates espionage will supplant terrorism as Australia’s principal security threat over the next five years.

In 2019, a leading Australian biotechnology company lost thousands of documents containing highly sensitive intellectual property after an employee exfiltrated the information to secure a high-level position at a key competitor.

The victim alleged that in the months before resigning, the employee had talked to senior executives at the competitor organisation on multiple occasions about taking the sensitive information. The employee subsequently obtained a senior position with the competitor and was accused of taking trade secrets related to various products. Most importantly, he was accused of sharing details about a top-secret treatment for common blood disorders, which forms the cornerstone of the victim’s business.

The critical challenges of insider threat detection

Detecting insider threats is not a simple task. First, insiders already have privileged access to the corporate network without needing to break in. They also inherently know what information is valuable and where to find it. Insiders can be employees, contractors, suppliers, interns, or board members: anyone with higher level access than the public.

Second, insider attacks are difficult to prevent with many of the commonly used security tools on the market, which are designed to protect against external threats. For instance, corporate firewalls can’t block insiders from accessing sensitive files, as they already have legitimate access.

Third, determining what is and isn’t suspicious activity is also extremely challenging. Insiders need some degree of privileged access to do their jobs effectively, so it can be difficult to determine whether an access attempt on a sensitive file is legitimate or nefarious. Most security tools cannot tell the difference between someone who downloads a confidential document to work on it and someone who shares it with a competitor.

Lastly, insiders can have powerful motives depending on their circumstances. They may feel they have been wrongfully dismissed. They may have ideologies opposed to what their organisation does, or they may have joined an organisation with the intent of causing damage. Attackers are increasingly bypassing tried and tested methods like phishing emails, opting to pay disgruntled insiders for credentials that will allow access to the network, as demonstrated in the LockBit 2.0 ransomware attacks.

Whatever the source of an insider threat, the impacts can be huge. According to the Ponemon Institute’s 2020 Cost of Insider Threats study, the annual globally averaged cost of an internal data breach to an organisation was US$11.45 million.

A three-stage approach to blocking insider threats

Step 1 – Detect

What cannot be seen cannot be protected. Every organisation must first understand where their sensitive data is located. Most organisations can’t confidently identify where all their data sits, whether this is on-premises, on the cloud, or strewn across both. Once the location of all data has been identified, the degree of sensitivity must be determined and assigned to each file. Then, organisations must identify those individuals who have access to these files.

After completing these steps, organisations can track who routinely accesses the data and build a baseline pattern of each account holder’s typical activity, with the help of specialised security software.

Step 2 – Prevent

The prevention stage involves blocking malicious insider activity before it initiates. The most critical action an organisation should take in this stage is applying the model of “least privilege”. Least privilege gives each account holder access to the data they specifically need for their role, regardless of how high up that individual might be in an organisation.

Additional recommended safeguards include disabling an employee’s account as soon as their employment is terminated and implementing digital rights management where a set of policies is applied to every document specifying whether it can be printed, edited, emailed, or copied.

Step 3 – Sustain

Steps one and two should not be one-off exercises. These policies and practices must be applied continuously for effective security. Defending against insider threats is an ongoing process that requires continuous monitoring of normal behaviour patterns to detect anomalies.

Data that has not been accessed after a predetermined time should be automatically archived so it is no longer accessible to any insiders with malicious intent. Furthermore, there must be systems in place that change an employee’s access rights when they move into a different role and remove all access rights when they leave the organisation. These processes can be challenging and even impossible to sustain manually in a large organisation, but security software can easily automate these tasks.

Conclusion and takeaway

COVID-19 exacerbated the risks associated with insider attacks. With large organisations creating millions of new files each year, the only way to effectively protect them from malicious insiders is by using security software, which can analyse network activity at rates impossible for any human to match.

Scott Leach is the vice president APJ at cyber security firm Varonis.

This article first appeared on REB's sister platform CyberSecurityConnect