Building a robust and effective information security system is a never-ending process. One area that needs further promotion by security professionals is that not all enemies come from outside; rather, an attack may just as easily come from one of your most trusted users inside the company.
Too many companies focus on trying to build a bullet-proof wall to protect their most critical assets from external attack, but fail to adequately control what’s going on inside the corporate network. Such a one-sided approach is asking for trouble; everyone knows how much damage an insider threat can cause. The Mossack Fonseca breach is perhaps the most notable recent example.
Many insider security incidents go unnoticed due to lack of monitoring and detection tools. According to Verizon’s 2016 Data Breach Investigation Report (DBIR), about 66 per cent of insider misuse cases involve privilege abuse, and most of them can be attributed to the human factor. This indicates that the most vulnerable part of any security strategy is not hardware or software, but people. Intentionally or unintentionally, employees use sensitive data in inappropriate ways.
Too many employees think nothing of sending corporate information to personal email accounts, uploading corporate data to personal devices, sharing passwords and so on. One careless mouse click can derail even the best security efforts. For example, in October, 2015, it was reported that Vacaville Housing Authority admitted one of its employees had accidentally sent an email containing private client data to an unauthorised person. The incident was successfully resolved, but it took the organisation a long time to win back customers’ trust.
The main reason insiders are so dangerous is that they don’t need to hack the system or hijack credentials; they already have access to sensitive data as part of their day-to-day work. Just one user with access rights and malicious intentions can be more harmful for businesses than any attack from the outside. According to the Netwrix 2016 IT Risks Report the human factor is the most common cause of increased security risks, either from accidents (47 per cent) or from deliberate abuse of privileges (13 per cent). This makes the detection of human errors and insider misuse a pressing task for the majority of respondents.
Blind trust, even in employees with a long and loyal service record, can come at a high price for the business. For example, a CVS pharmacy employee who had been employed for seven years recently stole patient data and passed it to a property manager, who then used it to obtain credit and credit cards.
Of course, even the very best security practices cannot guarantee complete protection against insider threats. Nevertheless, there are steps organisations can take to protect sensitive information from insider activities:
- Use a data-centric approach: When it comes to data protection, there is no such thing as too much security. However, rather than trying to protect absolutely everything, determine which assets are the most important and concentrate your efforts on them.
- Ensure visibility into user behaviour: Staying aware about what is changing in your IT infrastructure will help you spot suspicious activity in a timely fashion so you can take appropriate counter-measures. Continuous monitoring will also help you prove to compliance auditors that all changes to system configuration and access to sensitive data are easily traceable.
- Keep your history: Retain your audit trails for a long period of time and make sure they are easily accessible. Being able to review exactly what happened and drill for more details will help you investigate incidents.
- Limit access: Grant users only the access necessary to perform their daily duties. Regularly review access permissions and remove permissions that are unused or inappropriate.
- Monitor attempts to access critical data: Track attempts to access critical files and folders, both successful and failed, to spot malicious activity.
- Promote cyber security by making it everybody’s business: Incorporate security policies into your employee handbook and make sure everybody in your company is aware of them. Conduct regular meetings about cyber security. Warn employees that violating security policies will result in a written warning, bonus loss, or termination of employment.
Insider threat is one of the top five data breach threats in Experian’s 2016 Third Annual Data Breach Industry Forecast, and it almost certainly will stay on that list. As you build your cyber security strategy, make protection against insider attacks one of your top priorities. While there is no way to make your organisation immune to insider threats, implementing the best practices outlined here will minimise the risk of data breaches.
Netwrix Corporation provides IT auditing software that delivers complete visibility into IT infrastructure changes and data access, including who changed what, when and where each change was made and who has access to what. Netwrix is the first company to introduce a visibility and governance platform that supports both on-premises and hybrid cloud IT environments. Over 150,000 IT departments worldwide rely on Netwrix to audit IT infrastructure changes and data access, prepare reports required for passing compliance audits, and increase the efficiency of IT operations.
Dr. Alex Vovk has gained an impressive 15-years’ experience in software expertise, leadership and operational management. Prior to Netwrix, he worked at Aelita Software, where he served as the architect for the company’s key technologies. Dr. Vovk holds a master’s degree and a PhD in information security.