September 2019 marked the inaugural National Insider Threat Awareness Month. Created by the National Counterintelligence and Security Center (NCSC) and the National Insider Threat Task Force (NITTF), the campaign was launched to help organizations detect, deter and mitigate insider threats by increasing awareness of the issue. Now in its second year, shining a light on this common cybersecurity challenge is more important than ever before.
Despite reading headlines of devastating cyberattacks caused by insiders, such as the summer Twitter hack, organizations still have a tendency to overlook the “insider threat” while focusing on protecting their networks from outsiders. This can cost them. In the past two years alone, the number of insider incidents have increased by nearly 50 percent, and the cost in 2020 alone has been well over $2 million.
In honor of the month, we talked to six experts from the cybersecurity and IT resiliency fields about how the insider threat could manifest itself and what companies can do to prevent these issues from impacting both their networks and applications.
Gijsbert Janssen van Doorn, Director of Technical Marketing, Zerto
“Cybercriminals love to exploit vulnerabilities and individual employees are proving to be particularly vulnerable. These ‘insider threats’ are often unintentional and non-malicious. It’s just employees who unknowingly open phishing emails or click on the wrong ad, etc. When these bad actors get in, they can then wreak havoc on an organizations’ critical data and systems, and levy large financial costs and possible damage to your brand.
Protecting against the threat of ransomware requires ensuring employees know how to spot ransomware when they see it, but it also requires rethinking legacy data backup strategies to create a resilient IT for when employees do get fooled. By investing in continuous data protection for continuous availability, organizations can recover data files within seconds, and not worry about paying ransoms.
As the future of work remains uncertain, we anticipate more institutions increasing their cyber resilience through adoption of IT resilience solutions that can quickly and effectively provide an ability to recover after an attack. After all, in this game of cat-and-mouse, it is not a matter of if, but when your organization may be attacked. Once you’ve been compromised, prevention is no longer an option. The best way to respond is to have a solid plan in place, be able to quickly recover your information without paying a ransom, and get your organization up and running as swiftly and painlessly as possible.”
Surya Varanasi, CTO, StorCentric
“As companies left the four walls of their office, the pandemic drove organizations to the cloud. This, coupled with a remote workforce, has led to increased threat vectors from ransomware and internal threats. As a result, organizations should focus on controlling access privileges and enhanced backup solutions to protect their data. Organizations must ensure that users, especially system administrators, run in the least privileged mode possible while still being able to maintain productivity. Although useful, this is not foolproof as malware has proven very adept at escalating to root or admin privilege levels. To provide an added layer of security, organizations should use solutions that can provide policy-driven and scheduled data integrity checks to scrub the data for faults, auto-healing without any user intervention and replication capabilities that allow organizations to keep an additional copy of their backups on a different site. When used together, these measures will increase disaster recovery and high availability to prevent data loss from external and internal threats.”
Carl D’Halluin, CTO, Datadobi
“A successful insider attack can result in hours, days, or even weeks of downtime for an organization. This Insider Threat Awareness Month, it is important for businesses to realize that downtime comes at a very high cost — both financially and to reputations — so businesses need to do all they can to prevent it from happening. Companies need a strategy in place that gives themselves a fighting chance to quickly get activities up and running following an insider threat-based cyberattack or disruption. As organizations increasingly rely on unstructured data to perform day-to-day business-critical functions, they need to maintain instantaneous and unfettered access to this core data.
Our recommendation is maintaining a secure golden copy of your mission-critical data in an air-gapped location of your choosing (a physical bunker site, data center, or public cloud) that complements the traditional data protection strategy. Try as we might, we cannot foresee or prevent every insider threat. However, retaining vendor-, hardware-, and software-agnostic access to a golden copy in addition to a traditional backup strategy mitigates risk of exposure from an accidental or malicious insider threat.”
Torsten George, cybersecurity evangelist, Centrify
“An insider threat can be a case of unwitting error, a disgruntled employee, someone within the organization looking to push the boundaries or make a quick buck, or a business partner who compromises security through negligence, misuse, or malicious access. So, what measures can organizations take to minimize their exposure to insider threats?
The answer lies in limiting access and privilege. Many organizations grant too much privilege to their staff, contractors, and partners, where traditional perimeter security will not protect them from an insider accessing critical data. Businesses need to adjust their security strategies to match modern threats, moving away from sloppy password practices and unsecured privileged access and shifting to focus on administrative access controls based on a least privilege approach.
Businesses can take the following steps to address insider threats throughout the month of September and beyond:
- Enforce segregation of duties: Separate duties, especially for sensitive or shared processes and tasks. This ensures that no individual can complete a single task alone. In this context, organizations can, for example, leverage so-called “access zones” to tie the rights a user has to specific resources.
- Establish least privilege: Only give privileged users just enough access to resources, just-in-time to do the job required. Leave zero standing privileges to be exploited.
- Implement access request and approval workflows: Govern privilege elevation with self-service access requests and multi-level approvals, to capture who approved access and the context associated with the request.
- Leverage user and entity behavior analytics based on machine-learning technology to monitor privileged user behaviors: This will help identify abnormal and high-risk activity, as well as can trigger real-time alerts or removal of privileges to stop threat actors, whether they are internal or external threats.”
Bryan Skene, CTO, Tempered
“While workforces remain in remote conditions for the foreseeable future, many organizations have rightfully chosen to adopt a zero-trust policy to counter insider threats. Most people think of malicious employees looking to disrupt the business or even exfiltrate sensitive data for their own personal gain. But insider threats more frequently come from staffers that were unknowingly compromised by bad actors, enabling unfettered network access.
Zero trust protects against both situations because everything (user, server, or networked thing) is required to establish trust first in order to communicate, even within the network perimeter. We recommend utilizing a software-defined perimeter (SDP) that extends invisibility to cloud, multi-cloud, virtual, physical, and edge environments. This provides global connectivity and mobility for entire workforces using one comprehensible policy, wherever they are, for whatever they need to reach securely. Best of all, this can be deployed without ripping and replacing (or even modifying in most cases) existing infrastructure.”
Orion Cassetto, director, product marketing, Exabeam
“Irregular behavior detected at the system or network level can be an indicator of an insider threat. There are numerous indicators for insider threats, and knowing how to recognize the signals and keep track of dispersed or remote working employees is a major part of prevention and protection to the enterprise.
A combination of training, organizational alignment, and technology is the right approach. Specifically, behavioral analytics technology that tracks, collects and analyzes user and machine data to detect threats within an organization is essential. This advanced technology determines anomalous from normal behaviors. This is typically done by collecting data over a period of time to understand what normal user behavior looks like, then flagging behavior that does not fit that pattern. It can often spot unusual online behaviors – credential abuse, unusual access patterns, large data uploads – that are telltale signs of insider threats. More importantly, it can often spot these unusual behaviors among compromised insiders long before criminals have gained access to critical systems.”
