Mohammed Abukhater, Regional Director, Middle East and North Africa, FireEye, discusses the risks brought by insider threats and what it means for your business.
Coming across news of cyberattacks is almost commonplace now. If data breaches were a peripheral issue years ago, they’ve certainly become a prime business concern now. The Middle East, particularly the GCC region, has not been immune to this menace, seeing a worrying share of cyberattacks lately. But while the threat from a host of external players is a given, there is one vulnerability that often tends to get overlooked by most organisations – the insider threat.
The phrase “you’re only as strong as your weakest link” could not be more apt for this particular scenario. You can have the most proactive and robust cyber strategy in place, backed up by industry-leading technology and expertise, but in the end, an organisation’s security hinges on the actions and behaviour of its employees. There is no denying it: the insider threat poses a significant risk to organisations. Any accidental or malicious act by an employee could be a catastrophe for the company in question, and worse, compromise its brand value.
The insider threat can take a number of forms. A simple example is an employee with access to sensitive company information and the intention to use it for malicious purposes. In this instance, the insider might anonymously threaten to release the data unless a ransom is paid. These attacks may be carried out by financially motivated staffers or disgruntled employees experiencing financial hardships. The insider might also be affiliated to an external party and act on their behalf.
The other example is the accidental insider. While most people tend to assume that malicious insiders are the main threat to organisations, this is actually not the case. The accidental insider is the one that organisations need to watch out for. These individuals are manipulated by external threat actors using a variety of techniques, including clever phishing and social engineering. Following a successful subterfuge, the external attacker is then able to use the accidental insider’s machine and access to infiltrate a network and compromise the organisation’s environment.
While most might call for tighter restrictions and say, “Why not limit access to sensitive data?” this is much easier said than done. The fact is that such a measure is not feasible in practice and despite the risks posed by insiders, companies need to give employees access to data to enable them to perform necessary functions. While it is difficult to implement controls that are able to detect or mitigate these risks, there are processes that organisations can develop to reduce the likelihood of a successful insider breach.
All this requires is foresight and planning on an organisation’s part. There are two pillars to a strategy focused on tackling the problem of insider threats: detection and prevention. When it comes to detection, the first step is to identify critical data assets and employee data access activities to increase the chances of discovering anomalous insider behaviour. Data protection mechanisms should be established in a way that will alert the organisation to unauthorised data transfers, such as sensitive information sent via email or data copied to removable drives. Regular security awareness training that stresses the importance of identifying and reporting insider threat activity to the appropriate security teams should also be conducted. It’s also important to educate employees about spear phishing emails and staying away from attachments or links within unsolicited emails. The organisation should also stay on the lookout for unusual outbound traffic patterns, such as odd connections to unknown IP addresses and abnormally large amount of data transferred from the environment.
The other pillar is prevention. Since employees have approved access to company information assets, preventing insider threats can be just as challenging as detecting malicious insider activity. However, organisations can implement measures to reduce the chance that a malicious insider will be able to compromise the integrity, availability or the confidentiality of company data. A key issue to be addressed is the question of how much access should be allowed to employees – if it is to be allowed at all. Follow the principle of “least privilege,” and ensure that employees are not able to access data unless it is absolutely and undeniably essential to their current job function. Care should also be taken with regards to portable storage devices. Implement preventative controls such as removing access to removable drives, so that valuable company information will not be stolen. Implement data loss prevention (DLP) technology that can be used to analyse company emails and reduce the chance that an insider can email sensitive data from the environment. It’s also imperative that employees be provided with regular security awareness training which stresses the scrutiny of suspicious emails, links and attachments.
Detecting and preventing insider threats is no easy task, but if organisations are able to identify the most critical assets and ensure that they have good visibility into the activities of those assets, the chances for detecting unauthorised activities increases. It goes without saying that organisations must stay vigilant against external threats, but the risk of insider threats cannot be overlooked at any cost – the fallout could potentially be far worse.