Last week we discussed combating insider threats, beginning with identifying them. This is such an important subject, that we want to help you identify some of the most common insider threats. As a reminder, insider threats are threats to a network, computer system or data that originates from a person with authorized system access. You should include mitigation practices for each of these in your Employee Security Policy as soon as possible. Why are we stressing this so much? Because cybercrime is too costly and prevalent to be ignored.
Intentional vs. Unintentional
Before we go into specific examples of insider threats, it’s important to make the distinction between intentional and unintentional threats.
Intentional threats or actions are conscious failures to follow policy and procedures, no matter the reason. People can act out of desire for revenge, theft, perceived justice, or even a well-intentioned need to work from home to complete a task. Unintentional threats or actions, such as misuse of access, neglect, or lack of diligence, can occur without forethought. Though we often think of a threat as something intentional and malicious, the most common events are those with unintentional results. That being said, a deliberate event can be the most devastating and long-lasting, especially when done with the intention of causing harm to the organization. As such, an Employee Security policy should be designed to protect your organization from both threat classifications.
Your policy should be comprehensive regarding actions that are unacceptable; it may not really be necessary to call out intentional and unintentional actions, even though the penalties may be different based on intent. Any policy should include intentionally compromising access to resources, data or removing sensitive data as banned activity.
The following insider threats and actions often lead to breaches:
Organizations put preventive measures in place to limit access. Internal hacking requires intentional action, so think of this in terms of criminal or bad intentions. An individual may want to steal data, provide an accomplice access, change damning information, or attempt to further a cause. The hacking may be done by someone with no intention to cause harm, but who is just curious or wants to “help” identify weaknesses.
Unlike hacking, which has preventive measures in place, compromise in this area involves individuals who have access. This access is necessary for their job function or to support the organization in a related way. For example, database administrators must have access to underlying structures and data; system administrators must have access to all levels of the devices, operating systems, and storage. In both of these examples, the individuals do not need access at all times, and access does not need to be part of their everyday user account. We often think of DBAs and system admins when we consider privileged access, but don’t forget those who have functional access to proprietary, sensitive, or personal data.
An organization’s proprietary information includes things like strategies, financial and cost information, business plans, and schematics; along with personal data of both staff and customers this information is very valuable. Removing data from the applications or databases where it resides can easily cause a compromise. You should clearly define the use of privileged access to include how, when, and why the access is used.
Given the number of ransomware attacks occurring, email-based threats are getting most of the attention today. Phishing, malware, and ransomware are all types of attacks that come through email; providing access through these emails is almost always unintentional. An astounding 91% of hacking attacks begin with a phishing or spear-phishing email. People are not diligent in ensuring the emails or links they open are appropriate, expected, or from a known sender. Some of the emails look very real and convincing; I think of them as the “cute cat” emails. Unfortunately, people are the weak link here. It is not enough to just include email-based threats in your policy, frequent training is also an important protection.
Mobile and cloud storage
Sensitive and personal data can be compromised more easily on cloud and mobile storage units. Users can copy the information on spreadsheets or documents to mobile devices (phones, USB drives) or store them on file sharing services like Google Drive, OneDrive, Box, Dropbox, or a myriad of other locations.
- Portable devices: We are moving away from USB drives. Many organizations have protections in place to prevent certain data from being copied to portable drives or phone storage. If you do not have those precautions in place, ensure that your policy and training include reminders about the appropriate use of portable devices. Portable devices can also increase the risk of malware, as people connect to these devices through personal networks.
- Cloud storage: The use of cloud-based storage is wonderful for collaboration and file sharing, especially for remote workers, but companies should take care to define what type of data or files are permitted in this storage area. Given the familiarity with these tools and functionality, consider how easy it is for staff to mistakenly save data to their personal cloud storage account, especially if they have access to that account from work. Also, if they need access to data at home, they may put that data in their personal account assuming it is more secure than using a USB drive. In reality, this puts this information at risk. How much risk depends on how diligent the employee is about access to their personal cloud storage; it is often shared with friends and family who now have access to potentially sensitive data.
Mitigating Insider Threats
The last two weeks’ blogs have focused on insider risks and threats. We encourage you to take some time and evaluate the risk associated with insiders, policies, training, and procedures in your organization. The list of risks above is a good place to start. Give special attention to areas where your ability to prevent access is limited. A good example of this is the use of portable devices or cloud storage. As I said in last week’s blog, don’t ignore activity that is out of the ordinary just because it does not seem impactful.