More than ever, your users are the weak link in your network security. Mitigating insider threats isn’t just about thwarting the malicious action of a disgruntled employee; a careless insider can also cause catastrophic damage. If you are not already doing so, you need to train employees in your policies and best practices. Employees that have been conditioned to remain vigilant – keeping security in mind during all activities – are far less likely to pose an insider threat. This method of mitigating insider threats is just one of the ways to protect your business.
First, let’s establish a simple definition of an insider threat as we discuss it in this article: an insider threat is a threat to a network or computer system that originates from a person with authorized system access. Insider threats are sometimes called insider risks or insider attacks.
Effective security awareness training is not always simple. Time, resources and participation can be an issue; however, as in anything that is necessary, you must work to obtain and utilize resources creatively.
Here are some ideas to help reduce breach potential due to intentional or unintentional insider actions.
Conduct a Risk Assessment
A comprehensive assessment will identify weak points in your environment. The evaluation should include physical, digital, application support and development, and human hazards.
Develop a Security Policy
Your organization’s policy does not need to be multiple pages; as long as it sets the expectations and behaviors for all employees it will be effective. Enforcement without a policy (and training) can be ineffective at best and impossible at worst. You should always include provisions on expectations for the use of organizational data, devices, and BYOD (use of personal devices).
Back Up Your Policy with Training
Without training, both onboarding and ongoing, your policy is only a “checkbox item” – not a useful tool. To reduce insider threats and behaviors, employees need to remain vigilant. The best training programs are those that include frequent reminders and information vs. an annual session. We remember the things we hear or do on a regular basis, and an annual training to meet an audit requirement does not make a functional training program. Some of the most important (and most frequent) reminders should be around email usage, opening files or links, and the use of portable media. Your training should help individuals get in the habit of looking at the sender of an email and not just the content. Users should use extreme caution whenever the sender is not known, or when they are not expecting the email/content.
Don’t Forget Physical Security
You must train employees to notice and question those who do not belong in the facility. For example, an employee may want to report someone with a visitor’s badge who appears to be unescorted.
Utilize log correlation engines and security information event management (SIEM) systems to provide real-time analysis of security alerts generated by network hardware and applications.
Investigate Suspicious or Unusual Activity
Investigate any suspicious or “out of the norm” activity, no matter where it occurs, or even if it does not seem relevant. Better to at least check to be sure there is no danger, rather than assume that all is well. Remember not so long ago, we often ignored small transactions on credit cards as not relevant. That ended when companies realized that the thieves were searching for accurate account numbers by posting small transactions. Once they gained that assurance, they stole the big money.
Institute a Post-Employment Process
You should always ensure that your employee separation process is well documented. Be sure to include the notification and removal process for physical, network and application access. No matter the reason for the termination, remove access as soon as the individual is no longer with the organization. You should do this within the same day.
Automated and tool-based security are important, but they can simultaneously be one of the best protections and worst weaknesses – given the way that people use systems and tools. Ransomware attacks occur less because of the failure of a tool, but rather due to internal staff opening or clicking links in those attempts that do get past the protections. As you consider threats and risks, don’t forget the people. Mitigating insider threats and risks is the simplest but least-executed way to keep businesses and enterprises safe.