Here’s a quick reality check: the largest cybersecurity threats are often found on the inside.
More than 34% of businesses globally are affected by insider threats every year, with 2,500 companies in the United States alone encountering daily internal security breaches.
Insider Threats Can’t be Blamed on Technology
Even with these figures, insider attacks are still one of the most underestimated cybersecurity threats in organizations. Internal attacks often aren’t investigated with the same effort external ones are — there tends to be less focus on attackers’ intent, motivation, and capabilities. Security leaders can’t simply ignore the human aspect of these threats, such as in the case of Microsoft when a former software engineer defrauded the company of over $10 million of digital currency over 7 months.
Building Your Insider Risk Mitigation Plan
As your organization prepares for insider threats, identify first the key risks you can mitigate, such as:
- Fines and penalties as a result of compliance failures and violations
- Possible churn
- Data compromise
- Disruptions in business operations
- Reputational damage
Once you’ve determined the risks, the next step is to design a mitigation plan to address them. Ekran System recommends including the following components:
- Steps of the mitigation process — risk evaluation and prioritization; control implementation
- Insider threat mitigation strategies — based on risk probability and impact (more on these strategies below)
- Risk reduction controls — clearly defined policies and software; applying necessary adjustments to current procedures
- Schedule — specifying frequency of risk mitigation activities to keep the plan constantly updated
Best Practices in Insider Threat Mitigation
An update to Forrester’s 2021 report titled Best Practices: Mitigating Insider Threat aims to provide IT and security leaders with a more objective view with regard to addressing insider threats. Here’s a rundown of the main strategies that key researchers Joseph Blankenship and Claire O’Malley mentioned in the report:
1. Don’t rely fully on technology.
The human element is just as important as the technical element. Most of the time, even more so.
Insiders are the people you know and trust — former and current employees; third-party contractors; and business partners. SUBA solutions and DLP help detect a wide range of potential insider threats, but they should be mixed with a consistent process and a highly trained security team for them to be effective.
Adopt a zero trust approach; practice the principle of least privilege to avoid access misuse; and know your insiders. Heightened access visibility across all endpoints is key, and assessments must be done from both a behavioral and technical perspective. As Axonius writes in their informative post, having comprehensive, realtime asset management is a key element for maintaining network transparency and preventing insider attacks.
2. Keep your insider and external threat functions separate.
A common mistake security leaders make is taking a similar approach to insider and external threats. In fact, interviewees in the Forrester report cited a common handling mishap: treating insider threat as an ordinary security program, and letting it pass off as a mere IT issue.
If your organization hasn’t yet defined its insider threat function, here are some ways to do it:
- Have a separate insider threat team and engage them in specialized training in threat investigation and management.
- Keep it separate from the main IT team, and make insider threat responsibilities a function of the CISO, CRO, or any other executive, depending on business needs.
- Don’t treat employees as the enemy — respect their privacy even as you monitor behavior and access, and clearly communicate your goals to everyone involved in the mitigation process.
3. Get cross-functional buy-in.
Any program or initiative is less likely to be fruitful if there’s not enough support from stakeholders.
The same can be said for your insider threat program — gather inputs from the top down and secure buy-in from the CEO and the board. Your legal, HR, privacy, risk, and security departments should be at the program’s helm; functions such as the CIO, internal audits, and compliance would act as your key support team.
4. Fortify your insider threat process.
Finally, Forrester notes 2 important things your insider threat program needs to be: fair and consistent.
Investigating an insider requires the combined powers of your legal, HR, and compliance teams to ensure impartiality and adherence to policies. Other strategies for solidifying your insider threat program include:
- Always know where your sensitive data is, and who has access to what.
- Create well-defined acceptable use policies for your internal devices and systems, and have employees sign them annually.
- Get in touch with law enforcement in advance if you ever decide to go beyond termination and bring a case to court, should an insider attack take place.
Final Thoughts
You never know when a trusted insider will be able to break down your company’s defenses. Take the necessary measures we’ve recommended above, run regular security audits, foster a culture of security within your organization, and have a robust incident response plan in place.
Think you’re too small for insider attacks? Think again. Watch our On Demand Session on How to Introduce “Enterprise-Grade” Security at a Startup, featuring Daniel Trauner, Director of Security at Axonius.
Photo by Lewis Kang’ethe Ngugi on Unsplash