I’ve been talking about insider threat for nearly 10 years and advocating the position that compromising an insider is a lot easier for an adversary than breaking into an organization from the outside. Yet, around one-third of organizations don’t have an effective way to detect insider threat, and fewer than one-fifth don’t have a response plan in place to mitigate damage from an insider incident.
There are some relatively easy ways to protect the organization from both the malicious insider and the unintentional insider. Here are my top five:
1. Control or eliminate email attachments and links
Emails are the primary attack vectors in use today, and while the message itself isn’t dangerous, links and attachments are. Today’s security product vendors are offering real-time malware assessment of links and attachments that will quarantine a suspicious attachment or prevent connection to a dangerous link.
2. Properly manage and control access to data and critical systems
Role-based permission, removal of administrator access, and the principle of least privilege are your friends. Work with your HR team and line of business managers to understand user roles and the types of application and data access they need to do their jobs. Then, assign only that access level, no more.
3. Know where your data is
An important corollary to point 2 is knowing where mission-critical and sensitive data resides in the system so that you can lock it down with appropriate permissions. If you don’t know where it is, how can you protect it with the right level of access?
4. Monitor employee behavior and look for anomalies
This can occur at many levels, including action monitoring software. It’s not intrusive to look for excessive data dumps or repeated attempts to look at files or directories that are not permitted – it’s good business. But it also makes sense to educate employees to be on the lookout for behavioral changes in their coworkers – what are the signs of financial or emotional distress that could lead to an attack on company systems…or worse.
5. Raise security awareness
Last but not least is the need for ongoing security awareness training that is an integral part of company culture – not an afterthought or a “checklist” item. A company that partners with employees to ensure security awareness will do better than one that forces compliance or just performs training to check a box.
I’ll leave you with this important point. It is easy, while evaluating attack vectors, researching competitors and gauging the threat from organized crime or foreign adversaries, to conclude that external attacks should be the primary focus of defense. This conclusion would be wrong. The critical element is not the source of a threat, but its potential for damage. Evaluating threats from that perspective, it becomes obvious that although most attacks might come from outside the organization, the most serious damage is done with help from the inside.
Dr. Eric Cole is a renowned security expert with over two decades of in-the-trenches experience in IT and network security. He is the author of several books and textbooks, including Advanced Persistent Threat, Hackers Beware, Hiding in Plain Sight, Network Security Bible 2nd Edition, and Insider Threat, and has presented at many major conferences. He also served as a member of the Commission on Cyber Security for the 44th President, Barack Obama, and sits on several executive advisory boards.