These days, the threat landscape for most companies is massive. But while there is a litany of outside threats that their security teams need to worry about, there is often an even greater danger much closer to home.
Regardless of your industry, the size of your organisation, or the type of business you have, insider threat is a menacing reality. In most organisations, this threat has been undervalued, underestimated and underfunded. It’s the elephant in the room that no one wants to talk about because it means acknowledging that one of your own employees might take you for a ride.
Security pros are constantly being warned about insider threats. We were that told our companies need next-generation software, integrated threat intelligence, and the ability to correlate massive amounts of event logs and context to arm ourselves against these threats.
We were told that these tools are necessary to block attacks and to recover from attacks, should they be successful. Unfortunately, when companies eventually figure out that they’ve been compromised, they also discover their systems had been compromised for an extended period of time.
“Insider threats can include a combination of malicious insiders, compromised insiders, and careless insiders,” says Wade Williamson, Director, Product Marketing, Vectra Networks. “You will need clear visibility for identifying all of these threats, but they will differ in behaviour and how security will be able to detect them.”
Just how big is the insider threat problem?
According to the Cisco Connected World Technology Report, seven of out of 10 employees admitted to knowingly breaking IT policies on a regular basis, and three out of five believe they are not responsible for protecting corporate information and devices.
“According to some estimates, up to 90 percent of organisations are not fully aware of devices accessing their network; and it is not unusual to learn that there are five to 10 times more cloud applications in use than IT departments realise. In addition, there is an increasing number of devices connecting to the network, resulting for challenges to grow exponentially,” says Anthony Perridge, Security Sales Director, Cisco.
Nicolai Solling, Director, Technology Services, Help AG, cites a recent study from Crowd Research that says over the last year, 62 percent of security professionals found insider threats have become more frequent. Despite this, fewer than 50 percent of organisations have appropriate controls to mitigate this threat.
“This is of course closely linked to the fact that when a company starts up an employment relationship with an individual it is based on the assumption and trust that the person is the correct one to do a job,” he adds. “Insider threats are generally difficult to detect as they are different in autonomy then other threats and can therefore circumvent our classical defense systems. Typically, insider threats are focused on data leakage over prolonged periods of time, as an example it could be intellectual property and trade secrets. As the employee also takes data in and out of the organisation in the form of mobile devices and laptops there it is also difficult to physically monitor the behaviour of the individual.”
When it comes to security, insider threats are an unfortunate fact of life, and there are many factors increasing organisations’ exposure to threats posed by insiders. “Enterprises are finding it more and more difficult to protect their networks for a number of reasons. First, the increasing use of BYOD (bring your own device), where employees use their own smartphones and tablets in the office, means that the boundary between trusted and untrusted devices is becoming ever more difficult to define,” says Simon Bryden, Consulting Systems Engineer, Fortinet.
Raj Samani, VP and CTO, Intel Security EMEA, explains that one of the main factors increasing exposure is the openness by which employees are willing to share information about themselves or the company online. This allows anyone to conduct research on their target within minutes.
Greg Day, VP and CSO, Palo Alto Networks EMEA, adds that emerging technologies, tools and connectivity, mobile and remote working, all mean that insiders now have new ways of coordinating with others. For example, the number of SaaS-based applications observed on enterprise networks has grown 46 percent from 2012 to 2015, and now includes more than 316 applications. “The scope of internet based applications and services will only continue to grow, and whilst businesses have been used to managing their own environment, cloud services require new ways of security thinking. It’s all to easy to feel you have lost control which simply isn’t the case.”
Because most insider activity is never identified, many organisations do not see it as high priority. Yet, an insider carrying out a malicious plan can leave with clean hands and bags full of an organisation’s asset. Even when caught, CERT reports that 82 percent of the time remediation is handled internally with no legal action. This is likely to avoid unwanted public scrutiny or other potential fall out for the organisation due to the incident.
“Alienating employees is perhaps the biggest threat. The wrong implementation of a mobile authentication solution could result in severely compromised convenience for a company’s user base, resulting in an extremely poor user experience. While security is tightened, perhaps through multiple passcodes and other authenticators, employees are likely to resent the time consuming procedures they need to go through in order to access corporate data. As a result, they’ll likely resort to sharing compromising data through alternative channels outside of an authenticated pathway,” explains Marc Hanne, Director of Sales, Identity Assurance, HID Global.
There may be no single solution to the complex challenge of protecting against insider threats within the enterprise, but IT leaders can help their cause with prudent policies that limits on who can access what kinds of data, and working to boost awareness of security issues throughout the organisation.
For a new or rehabbed insider threat programe to be successful, the CIO, CISO or CSO first has to gain boardroom buy-in and illuminate the value such a programme would have to a company in detecting and preventing harm to people, property and company reputation. A thorough assessment of the known or existing vulnerabilities and threats, weighed against the overall company risk appetite, is essential.
“Many organisations develop a user awareness programme, but the effectiveness of such programmes varies,” says Samani. “An awareness programme that is combined with measures to evaluate its effectiveness is one of the best tools for fighting social engineering attacks. Although continuous measurement and refinement in education programmes represent an effective counter against social engineering, they are rarely used. In fact, many organisations have not implemented any sort of security or policy awareness training for their employees.”
Stefan Tanase, Senior Security Researcher, Kaspersky Lab, offers another perspective, “If we assume that an insider is planning to leak internal corporate documents, during the days or weeks in which the actual information gathering process occurs, his actions could be detected by observing anomalies in his behavioural patterns – whether it is network activity, such as fetching local copies of a large number of internal documents via company intranet, or even real-life clues, such as using the copying machine more often than usual.”
Technologies such as device management, encryption or data-loss prevention can help reduce the risk of an insider threat – but we must keep in mind that it is impossible to completely eliminate this risk. A highly motivated insider with the right tools and access could always pose a threat, he adds.
Some companies shy away from implementing an insider threat programme because they worry about the cost of technology to back it up would be prohibitive or that it would be too cumbersome for employees.
But experts say insider threat programmes can be implemented in most part by removing privileged access where it is not needed or too risky, and by using the tools already embedded in the network.
Day from Palo Alto Networks says, “For any insider threat programme to work, it must rely on humans communicating policies clearly across business boundaries, from the executive leadership team down to employees. All business functions starting from the internal business units to the external trusted business partners should be informed about acceptable use. Everyone must be onboard from the managers observing employee behaviour and reporting anomalies to both human resources and from the IT department gathering evidence for leadership to make a decision.”
The best approach to combat the menace of insider threats is to make sure that your company’s security policies clear and accessible to all employees. They should also be actively enforced. Employees have to be constantly reminded of the policies and why the restrictions are in place, despite the inconvenience it may cause. In general, companies need to take a 360-degree view of security that encompasses internal and external threats.