The month of September officially kicks off the 3rd annual Insider
Threat Awareness Month (NITAM). NITAM is an annual, month-long campaign during September that helps to educate the government and industry about the risks posed by insider threats and the role of insider threat programs. All organizations are vulnerable to insider threats. An insider threat
is anyone with authorized access who uses that access to wittingly or
unwittingly harm an organization or its resources.
This campaign is especially important amid a year when ransomware grabbed
so many headlines - it's critical that we don't lose sight of the importance of safeguarding
our nation by detecting, deterring, and mitigating insider threats.
Hear from a number of seasoned experts as they offer their own thoughts and opinions to help celebrate and honor this much needed campaign.
##
Joe Payne, CEO and President of Code42
"When data as portable as source code is valued at $5M, the last thing you want
is for that code to end up undetected on a personal GitHub repository of an
employee who is leaving your organization. Insider Risk is increasingly
becoming a more significant and urgent business problem. With work now
conducted more regularly in the cloud and outside of an organization's
environment, it's no surprise that about two-thirds of data breaches involve an
insider.
Every day, customer lists, product plans and personnel information are put at
risk by unwitting, negligent or malicious employees. Regardless of the
employee's intent, when an insider walks out with your customer list or your
critical source code, it can literally put you out of business. Insider risk
events and their impact on business are accelerating. Far too many companies
are protecting their data using old technology and approaches that do not work
in today's cloud-based and remote-working environments.
The modern-day solution to solving the problem of employees and contractors
taking data is Insider Risk Management (IRM). IRM technology allows employees
to openly collaborate while the IRM systems monitor, filter and prioritize risk
events and detects when files are moving to non-corporate locations, including
personal devices and networks. With data
exposure peaking and precious source code exposure rising threefold amid
massive employment turnover in the US, Insider Risk needs to be prioritized by
organizations.
Most employees openly admit they take important company data with them when
they quit. And with millions of workers actively changing jobs, we expect this
problem to only become more acute. Now is not the time for complacency. The WSJ
has decreed 2021 as the year of the Great Resignation - a time when up to 40%
of knowledge workers are expected to change jobs. Companies need Insider Risk
training and technology to ensure that the Great Resignation does not become
the Great Data Exfiltration as critical data and essential IP walks out the
door."
--
Bindu Sundaresan, Director at AT&T
Cybersecurity
"To prevent insider threats, which many organizations continue to struggle
with, implementing a Zero Trust model will be key to an organization's
cybersecurity strategy. The Zero Trust approach assumes the inevitability of a
data breach. Instead of focusing exclusively on preventing breaches, Zero Trust
security aims to keep damage limited if a breach were to occur and build a
system that is resilient and can quickly recover. With the Zero Trust model,
organizations gain better visibility across users, devices, containers,
networks, and applications because verification of their security status is
required with every access request. An organization can reduce its attack
surface by segmenting resources and only granting the absolute minimum access
needed. Zero Trust security was conceptualized to address vulnerabilities no
matter where they may come from. It takes an 'always verify, never trust'
approach to network security. This means that every user and device is always
verified, regardless of whether they've previously been granted access."
"Another aspect of cybersecurity many business leaders do not consider is the
role of increasing diversity among security teams. Bringing unique thoughts and
perspectives to your cybersecurity team is a great practice, and can increase
the likelihood of the team noticing irregularities within your systems.
However, be sure not to assume that a new hire from a unique background knows
exactly what to look for in terms of identifying irregularities in systems or
language- this may lead to a missed threat that could cause downtime at your
organization. Always set up the proper training that will best guide team
members through the process of what a specific abnormality within your organization
may look like. This way, you can feel confident that your entire workforce is
aligned and prepared for potential cyberattacks and do not pose as another
unintentional insider threat to the organization."
--
Dr. Torsten Staab, Chief Technology Officer for Cyber Protection Solutions
& Raytheon Blackbird Technologies, Inc. at Raytheon Intelligence and
Space
"The principle of practicing Zero Trust is simple; trust no one, even if
they work for your company. Employees have the ability to maliciously or
ignorantly leave organization data vulnerable and accessible for a breach. It
will likely take organizations several years to truly achieve comprehensive,
multi-level Zero Trust Security, but it's better to start now than wait until
it's too late to remediate.
To get started, organizations should consider an incremental, step-by-step
process, starting with updating all existing systems and ensuring cybersecurity
solutions in their arsenal are Zero Trust compatible. It's also critical to
pinpoint and evaluate primary areas of concern - for example, what are your
business's priorities with respect to the user, device, network, application,
and data security? Are you already able to stop a ransomware attack in its
tracks? Have you had a data leak and how was it handled? Depending on responses
to these questions, are insiders capable of stealing corporate data or
intellectual property, and how many people have access to sensitive
information? Is your business already using context-aware, multi-factor
authentication enterprise-wide? The conjecture you get from these questions
will help to provide a clear understanding of where to focus first and foremost
- especially as it relates to combating a malicious insider through Zero Trust
initiatives.
With digital transformation efforts accelerating and the attack surfaces
expanding exponentially even within an organization, there's never been a
better time to implement Zero Trust policies as a way to combat insider
threats."
--
Kevin Breen, Director of Cyber Threat Research, Immersive Labs
"What counts as an insider threat depends on your organization's appetite
for risk. To the most risk averse, every person within a company could be
considered a threat. As dramatic and paranoid as this sounds, it isn't
necessarily that far from the truth.
The most important thing to remember is that it's not always about intention -
an employee can be an insider threat without intending to do harm to the
organization. These are the people who accidentally open a link in a phishing
email, unplug a server to vacuum under the desks, or let a stranger into the
office unquestioned. In these situations, education is the key to prevention."
"Looking at those who do want to do harm, organizations must be aware of the
impact of disgruntled employees or those looking to make a quick buck from a
competitor. If someone feels disenfranchised, neglected, or wronged by the
company, it could be easy to persuade them to walk into the office with an
infected USB or feed secrets back to competitors. An open and honest culture
and recognizing when employees are overworked or unhappy could put a stop to an
insider threat before it has a chance to do harm.
As always, prevention is better than cure. Make sure your employees are
properly educated on basic cybersecurity measures to prevent those ‘accidental'
inside threats. Encourage open communication, so when someone feels wronged or
unhappy at work, they feel they can talk about it. So much risk from insider
threats can be mitigated simply by ensuring your employees feel safe to speak
up. And on that note, make sure you put in place a proper whistleblowing
policy: it must protect both the whistleblower and their rights, as well as the
company."
--
Joe Slowik, Senior Director, Gigamon
"Defenders typically look at insider threat concerns as one of the more
intractable and difficult problems, as a trusted insider by definition has
already overcome multiple security controls. However, emphasis on monitoring
and visibility into actions taking place both on host (insider direct
interactions with systems) and over the network (to examine attempts to
circumvent controls and visibility) can flag suspicious behaviors. With proper
insight into network and host activity, defenders can begin addressing this
otherwise very difficult problem."
--
Ryan Weeks, CISO, Datto
"External threat actors, more often than not, leverage the credentials of your
employees and systems to conduct their activities post exploit. You will see this
described as 'living off the land', which is a simple way to say that threat
actors will use the accounts, access and tools that are already resident in the
network to facilitate a breach once they gain a foothold.
To me, all this really means is that if you're not already building a threat
monitoring program that is capable of detering, detecting and responding to
suspicious activity under your employee accounts then you have neither an
effective insider or external threat monitoring program. They are two sides of
the same coin."
--
Mark Nunnikhoven, Distinguished Cloud Strategist, Lacework
"There has been a sharp increase in demand for direct access to business
environments in the underground markets. To meet this demand, we expect to see
more high dollar offers to susceptible employees and more outreach from rogue
employees."
--
Lamont Orange, CISO, Netskope
"Not all insider threats are malicious in nature. Employees are often viewed as
the weakest link of any company's security posture - and sometimes, even
unknowingly, open the company up to risks. This may include clicking on a
phishing email, connecting to unsecured Wi-Fi or taking company data outside
the organization. Netskope's latest Cloud and Threat report found that
departing employees upload 3X more data to personal apps in the last 30 days of
employment. All of these actions make the company vulnerable to growing
threats.
As the world continues to navigate through the pandemic and work-from-home
environment, in addition to the great tech resignation, it's more challenging -
but critical - to protect against insider threats. Educating employees
about security efforts is a top priority and goes a long way to change the
perceived weakest link to a force multiplier for security posture
advancement. Understanding where company data is located is equally
important and knowing where company data is means that you can protect, control
and ensure it's in the right hands."
--
David Bradbury, Chief Security Officer, Okta
"The digital nature of our modern economy means that security threats are only
going to intensify, and a large - and persistent - portion of these threats
come from within an organization. Anyone who has access to important and
protected electronic items, including current employees, former staff members,
contractors, or vendors, can pose potential threats. Combatting these threats,
whether they are of malicious intent or just due to human error, is a crucial
component of any company's security hygiene.
If the past year has taught us anything, it's that leaders must recognize that
people are the new perimeter. They must move toward a Zero Trust security model
and adopt strong authentication across all services, everywhere - from
on-premises, to cloud, to mobile, and for employees as well as customers,
partners, contractors, and suppliers. This means ensuring that the right users
have access to only the resources they need, and at the right time. A critical
best practice in any industry is to leverage identity as a foundational
technology across the security stack.
Organizations must simultaneously ensure they are fostering a security-first
culture among their employees. Bolstering internal security education with
thorough trainings for all employees can decrease the chances of falling victim
to careless oversights. A company is only as strong as its weakest link - which
can oftentimes be its own employees. Educating them on security best practices
is essential."
--
Stephen Cavey, Co-Founder and Chief Evangelist, Ground Labs
"In today's modern world, the insider threat remains just as credible as
the external threat. Originally hacking via the use of an insider could
be proven as a clear intention to carry out a malicious act. However, in a
modern context, the insider threat is not always intentional and the individual
carrying out the attack is not necessarily aware that their actions are in any
way malicious.
For example, phishing attacks often target internal individuals with access to
critical data or the ability to authorize financial transactions and fool them
into performing tasks to achieve the desired outcome. It is possible that an
insider threat existed in the form of a trusted individual, or group of individuals
with purpose to commit wrongdoings. It is also possible that an insider threat
was invoked unintentionally via coercion, manipulation or attacks resulting in
unintended consequences.
But ultimately, a detailed forensic investigation is often required to make an
appropriate determination of what has occurred and the motivations behind such
actions.
This National Insider Threat Awareness Month, it's pivotal for organizations --
and specifically, security leaders -- to gain a better understanding of where
all of their sensitive data resides to better mitigate the risk of insider
threats in the era of hybrid and remote work."
--
Peter Chestna, CISO for North America, Checkmarx
"Closely related to the insider threat conversation is the growing trend of
external threat actors deliberately inserting malicious code into open source
packages, in hopes of establishing a vector for further compromise of data or
systems. This attack scenario is executed successfully when a developer
unknowingly incorporates a compromised package into software they are building
for their organization.
To avoid falling victim to this type of attack, organizations must be cautious
about their open source usage. A new level of scrutiny is needed. They should
understand the developers that contribute to a given code package, what other
packages they contribute to, and their overall online presence and reputation.
This can provide indicators on the potential intent of their contributions.
While this might not be definitive, it can provide useful context as
organizations keep a closer eye on the components and packages being adopted in
their software and supply chains"
##