September is almost over – a good time to reflect on Insider Threats, as September marks the fourth annual National Insider Threat Awareness Month, aimed at preventing the exploitation of authorised access that can wreak havoc on any organisation.
As digital devices become increasingly more ingrained in our everyday lives, threat actors are becoming more determined to infiltrate and disrupt key networks. And the easiest way to do this? Already be inside the system. Not only this, but with almost every single employee across the UK using technology in some form, the chance of accidental mistakes, or negligence leading to a breach has increased tenfold.
So, this Insider Threat Awareness Month, what can organisations do to prevent a cybersecurity incident?
Types of Insider Threats
The first step is understanding the types of insider threats you may be facing. Matt Rider, VP of Security Engineering EMEA at Exabeam, explains these threats can be categorised into three distinct types: “The ‘malicious insider’ is an employee who intentionally steals data, either for personal gain or to negatively impact the organisation involved – mature security organisations will ensure that they work closely with HR teams to help identify and monitor potentially malicious insiders.
“A ‘compromised insider’, however, generally acts without malice and usually has no idea they’ve been compromised. All it takes is clicking on a link in a phishing email or opening an infected file and their credentials can become compromised.
“Finally, a ‘careless’ or ‘negligent insider’ is someone who leaves their laptop on the train, walks away from their unlocked workstation, or simply fails to follow cybersecurity best practices. These individuals can be particularly challenging, because their actions are very hard to predict and defend against”.
Next, we need to look at what commonly contributes to an individual becoming an insider threat. Eric Bassier, Senior Director, Products at Quantum, explains, “Research shows careless insiders are the most common reason and account for 63% of all incidents. Cybercriminals are finding new and innovative ways of tricking employees into clicking links that enable ransomware to infiltrate an organisation’s infrastructure. And while ransomware attacks have continued to increase this year (up 13%) it is not the only outcome of an insider threat attack. Increasingly sophisticated malware is destroying computers and computer systems, and organisations are suffering data loss and credential theft.”
Neil Jones, Director of Cybersecurity Evangelism at Egnyte, states, “Common contributors to insider attacks are employee turnover, poor data governance controls and user negligence. Examples can include the following: a current employee accidentally sharing confidential information with a third party, an ex-employee downloading files to take to their new job at a competitor, or a former business associate sharing privileged company insights publicly to embarrass the organisation”.
Additionally, Terry Storrar, Managing Director, Leaseweb UK, points out that, “the way we work and protect our networks has changed drastically over the last few years. Remote working and BYOD have increased the number of attack vectors available to cyber criminals and blurred the lines of the network perimeter”.
Education is key
When it comes to prevention, the power of education cannot be understated. Scott Boyle, Head of Information Security at Totalmobile, explains, “it’s crucial that organisations ensure that all of their employees are fully trained in the latest cybersecurity measures so that they can avoid any kind of insider risks. It’s also important that organisations – where possible – implement mobile solutions that have strong cybersecurity measures built in”.
Apratim Purakayastha, CTO at Skillsoft, expands: “awareness is the first step in addressing this risk — staff must understand they have an essential part to play. Organisations should ensure that cybersecurity training is provided for all employees, along with frequent refreshers — this should not be done at onboarding and forgotten about later. Bite-sized learning that can be embedded throughout the workday can be used to teach employees how to spot a phishing email, know when and why they shouldn’t open a link, and ensure they generally have a good grasp of cyber hygiene”.
Dalia Hamzeh – Senior Principal Enterprise Security Program Manager at Progress, also suggests that, “training your organisations’ workforce to identify suspicious insider behaviour, and reinforcement of those efforts, should be a key initiative year-over-year. Additionally, an organisations’ awareness agenda should be sure to include role – or team-specific training for employees to detect the less obvious threats – such as timely review of employee terminations and access or the software employees are downloading.
“When employees are educated on specific indicators of insider threats and the damaging impact they potentially have, they’re more likely to notice and report them. It’s also important to build a culture in your organisation where employees are encouraged, and feel comfortable, to flag potential threats to the cybersecurity team”.
Making the most of technology
Education of employees should be used in conjunction with implementing the right technology for your organisation. Tom Huntington, EVP of Technical Solutions at HelpSystems, suggests utilising endpoint security technologies. “Endpoint security technologies can monitor [suspicious] activity and provide comprehensive visibility and reporting of all data that’s shared internally and externally. It will detect if employees attempt to print, copy to removal media or email sensitive data to an external partner. This robust data loss prevention technology tracks sensitive data and prevents unauthorised sharing to minimise the insider threat”.
“Having good protection across the estate is obvious but not always 100%; for example, do you run anti-virus on your phone or protective DNS on your corporate network?” furthers Andy Bates, Practice Director – Security at Node4. “Making sure that user permissions are accurate and secure will ensure that only the necessary people can access the most sensitive information in the business. Two-step verification (2SV) – also known as two-factor authentication (2FA) or multi-factor authentication (MFA) – should be used as an added layer of security”.
Finally, the last step in preventing damage from an insider threat is to have a robust disaster recovery solution in place should an incident occur. Brian Dunagan, Vice President of Engineering at Retrospect, a StorCentric Company, states, “a backup solution that includes anomaly detection to identify changes in an environment that warrants the attention of IT is a must. Administrators must be able to tailor anomaly detection to their business’s specific systems and workflows, with capabilities such as customisable filtering and thresholds for each of their backup policies. And, those anomalies must be immediately reported to management, as well as aggregated for future ML/analysing purposes.
“Certainly, the next step after detecting the anomaly is providing the ability to recover in the event of a successful ransomware attack. This is best accomplished with an immutable backup copy of data (a.k.a., object locking) which makes certain that the data backup cannot be altered or changed in any way”.
Finally, Christopher Rogers, Technology Evangelist at Zerto, a Hewlett Packard Enterprise company, explains, “in 2022, organisations are well aware that it is no longer a case of ‘if’ it will be attacked but ‘when’. Investment in effective disaster recovery technology, features including continuous data protection (CDP) meaning recovery within seconds not days, is the only way organisations can protect themselves from the real killer of an organisation – downtime. A CDP solution enables recovery of an organisation’s entire site and applications within a few minutes with only several seconds of data loss. By acting smart today and implementing the right protocols, businesses can not only limit the frequency and severity of insider threats, but they can recover fully should the worst happen”.