Cybersecurity risks are top of mind in every Board Room and C-Suite these days, and organizations are spending significant time and effort trying to bolster their defenses.
Much of the conversation and effort is focused on external threats in the form of rogue hackers and foreign governments. However, many of the most high-profile data breaches in recent memory were perpetrated by individuals within an organization. Just look at a few recent examples:
- Edward Snowden was behind one of the biggest insider threat data breaches in US history. Edward collected Top Secret US Government documents and leaked them to media outlets. Edward did not possess "need to know" of many of the files he collected, but was able to obtain access to the information from the inside.
- An employee at Morgan Stanley illegally accessed account information for approximately 730,000 clients. The organization went through a federal investigation which determined that faulty access controls were to blame. The breach raised questions about Morgan Stanley’s ability to protect its client’s data.
- A vengeful employee at Oil and Gas Company EnerVest reset a large number of servers to factory settings after he found out he was losing his job. The company could not conduct normal business operations for about 30 days, resulting in lost revenue totaling more than half a million dollars.
- In New Zealand, an individual at the public Ministry of Health inadvertently emailed a spreadsheet containing the personal information of about 25,000 individuals to about 950 pharmacists resulting in a serious reputational impact for the organization.
According to a recent study by McAfee/Intel Security, internal actors were responsible for 43% of data loss, half of which is intentional, half accidental. In addition, in a recent study by SANS, 74% of security professionals said they were concerned about Insider Threats. Since insiders inherently have easier access to data, these losses are often more damaging.
Organizations should use a combination of administrative and technical controls to reduce the risk associated with Insider Threats.
- Perform Periodic Risk Assessments – Document and assess the risks posed to the organization and get management buy-in. This will help you to prioritize your efforts in securing data.
- Implement effective security and awareness programs – Remind employees of the importance of protecting sensitive information with both formal training and awareness campaigns. Ensure "tone at the top" stresses importance of vigilance on each and every employee.
- Implement Separation of Duties – Don’t allow any one employee to have end to end responsibilities for a key process.
- Create a Reporting Mechanism for Security Issues - It should be easy for employees to report potential security issues to the security team, such as through a hotline on ticketing system. Anonymity may also increase likelihood of "see something, say something."
- Perform background checks - This one is a no brainer!
- Utilize Data Loss Prevention tools – They won’t catch everything, but there are effective tools that can detect emails containing information such as Social Security Numbers and credit card information and prevent them from being sent.
- Limit Administrative Access – Restrict access to a small number of individuals based on job responsibilities and genuine "need to know."
- Control removable media – Point employees to a secure method of transporting data that you can control.
- Implement Encryption – Encrypt sensitive data at-rest and in transit. Use of encryption technologies make it harder to access data, whether it is on a laptop hard drive or stored on a virtual server.
- Implement Logging and Monitoring - There are numerous logging and monitoring tools that work for different infrastructure components. There will always be a large effort up front to calibrate the tools and cut through the noise, but these tools can help to identify unauthorized activity and cut down detection time.
Defending against insider threats is no easy task, but the right combination of administrative and technical controls can reduce the risk of a breach.