September marks National Insider Threat Awareness Month,
a time dedicated to emphasize the importance of detecting, deterring and
reporting insider threats. This began as a collaborative effort by U.S.
government agencies, two years ago and has now grown to both the public and
private sector.
In honor of the month, industry experts have shared their
thoughts on different strategies organizations can use to protect themselves
from these threats.
##
Carl D'Halluin, CTO, Datadobi
"Predicting exactly when an insider threat will
occur is nearly impossible. However, promoting awareness of the chances of an
insider incident can help enterprises prepare themselves properly and enhance
their overall data management strategy.
A successful insider attack can create long-lasting
downtime for an organization which impacts its revenue and reputation.
Enterprises need to have a plan in place to protect themselves from the
aftereffects that come with an insider threat. As organizations increasingly
rely on unstructured data to perform day-to-day business-critical functions,
they need to maintain prompt access to their data in the event of a disruption.
An effective way to avoid downtime in the event of an
insider threat is creating a ‘golden copy' of business-critical data.
Enterprises should maintain a secure golden copy of unstructured data in an
air-gapped physical or cloud-based location. Limiting access to a golden copy
in addition to a traditional backup strategy decreases the chances of downtime
either from an accidental human error or malicious insider threat."
Raffael Marty, SVP Cybersecurity Products, ConnectWise
Insider threat is a complex and multi-faceted problem and
while the topic most often comes up in the context of larger organizations, the
general principles to prevent insider abuse are applicable to organizations of
all scales. A comprehensive security program that covers both preparedness and
visibility is the foundation to successful early identification of looming
insider issues. Preparedness is about planning for the day that something
happens and it should cover simple things like what the organization does when
an employee leaves and goes all the way to establishing preparedness for a
sabotage event like ransomware or electronic time bombs. Visibility is about
having line of sight to potential adverse actions. It starts with monitoring
devices, but expands to understanding what employees are doing and making sure
they are trained on cyber security issues like phishing, which is still one of
the main initial vectors of attacks.
Steve Moore, Chief Security Strategist, Exabeam
"As
organizations remain remote or begin their transition to hybrid work models,
the risk of insider threats is more present than ever. Therefore, enterprises
must recognize the severity of this form of attack.
Legitimate users performing unwanted or dangerous
activity always prove more difficult to detect than typical external threats.
Though most insider threats are unintentional and typically occur by accident,
the damage they cause can still impact business outcomes and stability.
To add complexity to this already difficult problem,
there have been examples of criminal attackers who now offer a cut of the
proceeds if an employee assists in deploying ransomware. How many disgruntled
or underappreciated employees might consider this opportunity?
When irregular behavior is detected, it should be taken
seriously as a possible attack. Various indicators of insider threats exist,
and a crucial step in protecting against them is recognizing those signs and
establishing a threshold of normal for employees. Unfortunately, most
organizations lack the capability to know normal human and device behavior.
Proper training feedback loops, visibility, and effective
technology are the key to guarding against insider threats. In addition,
utilizing behavioral analytics that can track and analyze user and machine data
is critical.
Behavioral analytics technology can identify threats
lurking within an organization by determining whether certain behaviors are
normal or a potential cause for alarm. For example, has this employee from this
department ever signed into this system before, anyone from her department?
Unfortunately, finding the answer to these questions (and many more) during an
incident can prove near impossible at worst and inconsistent at best without
investing in the correct capabilities.
Different kinds of unusual activity that are typical
signs of insider threats, such as large data uploads, credential abuse, or
unusual access patterns, can be detected by behavioral analytics. As a result,
the technology can find these suspicious behaviors among often unknowingly
compromised insiders well before cybercriminals can gain access to critical
systems - significantly decreasing the chances of data compromise."
Alex Pezold, CEO, TokenEx
"Although standard controls such as logging and
tracking, identity and access management, and internal policies and training
are all essential elements of a robust security strategy to address insider
threats, none can prevent the exposure of sensitive data in the event of a
breach. Therefore, data protection is also a critical component of this value
chain. We've seen our customer base use tokenization to satisfy their needs for
greater data protection while enabling their Zero Trust principles more
effectively.
By using tokenization, companies can minimize risk by
removing sensitive data from their environments so that it cannot be
compromised if their internal systems are breached. So even if a security
control fails and allows a database to be accessed, only tokens will be
available to the intruder while the original sensitive data is safely stored
offsite."
Neil Jones, cybersecurity evangelist, Egnyte
"Responsible
companies consistently update their cyberattack prevention plans and implement
measures that protect them from falling victim to potential attacks. As
vigilant as they might be, most organizations overlook an important contributor
to cyberattacks: insider threats.
This is not surprising, because companies need to trust
their employees in order to succeed. But with employee trust needs to come employer
validation and monitoring of their users' behavior.
While not all insider threats are malicious, they can be
even more devastating than external attacks. Critical contributors to insider
threats are employee turnover, poor data governance controls and negligence. If
employees resign, they can extract information from your files that could
benefit them in their new jobs with competitors, or even worse, publicly
embarrass your organization. That process is referred to as exfiltration. A
good first step to prevent "data leakage" is to utilize a data governance
platform that leverages machine learning, so that sensitive information is
available to the correct organizational users, based on their business "need to
know."
Negligence can be combated with proper training, and by
limiting access to files across the company. There is no reason that someone in
the finance department should have access to roadmapped product development
plans, without justifying their request with the product development team first.
Limiting the spread of internal information will also enable your system to
prioritize threats to your sensitive data. The best way to thwart a potential
attack is by having a proactive approach in place that detects misuse before
it's too late."
Surya Varanasi, CTO, StorCentric
"September 2021 marks the third year of National Insider
Threat Awareness Month (NITAM), which according to the NITAM website aims to
help prevent "exploitation of authorized access to cause harm to an
organization or its resources." While the month focuses on national security,
this issue is of course inextricably linked with organizational security as
well. When enterprises think about ransomware attacks, the focus is often on
guarding against external threats, of which there are many. Yet companies must
remember and be prepared to defend against threats from inside their
organization too.
Three words hold the key to achieving this: protect,
detect and recover. Given the prevailing stats, such as those from the Ponemon
Institute, the likelihood of an insider threat existing and then leading to a
successful data breach is high and growing rapidly. It is therefore critical
that the recovery piece be firmly in place. Two highly critical best practices
here relate to your data backups. Organizations must ensure they have
unbreakable and immutable backups. The ideal solution(s) should include
features like file fingerprinting, file redundancy, file serialization, secure
timestamp, and auto file repair, as well as the necessary capabilities to
ensure regulatory compliance. And the admin keys should be stored in another
location for added protection. Next, the solution should provide immutability
and allow the user to lock backups for a predetermined period of time: an
"immutable retention period," during which they cannot be deleted, moved or
altered in any way.
Corporate defenses should be equal to the level of
threat-which means assuming the worst and putting the best solution in place,
particularly when it comes to ensuring recovery. By having impenetrable
recovery solutions in place for internal threats as well as external ones,
organizations can protect their most valuable data assets and ensure the
longevity of their business."
Danny Lopez, CEO, Glasswall
"It seems like every day there is a headline about
another company falling victim to a cyberattack. What many companies fail to
realize is that not all threats come from outside sources. In fact, insider
threats have increased by 47% in the past two years. While it's easier to
assume it could never happen to your organization, taking responsibility for
your security before an attack occurs is always the best option.
Not all insider threats are malicious. In fact, many
victims are completely unaware that their credentials were compromised in the
first place. Employee training can be helpful in some cases, but it often
overlooks the sophistication of cybercriminals and can create a fear-based
culture where people are afraid to come forward if they've made a mistake.
Your employees should not be your only line of defense
against cyberattacks. Instead, your leadership teams should understand where
your risk factors are and implement proactive technologies, such as Content
Disarm and Reconstruction (CDR), which can deliver instant protection. In the
face of increasing risk and intricate attacks, there's no better time to make
cybersecurity a top priority."
Anurag Kahol, CTO and Cofounder of Bitglass
"While many companies focus on ransomware and malware as top cybersecurity risks, insider threats should also be top of mind – whether there is malicious intent or well-intentioned employees who simply make costly mistakes. In fact, 61% of organizations reported experiencing at least one insider attack last year. As companies move toward a hybrid work model, IT teams will be challenged with safeguarding sensitive corporate data from insider threats both in the cloud and on-premises. This further validates the need for complete visibility and control across the hybrid IT ecosystem.
To proactively detect and mitigate insider threats, organizations must follow best practices in cybersecurity, information governance and employee training. Additionally, multi-faceted security platforms that are designed to monitor user behavior, secure personal devices and prevent data leakage on any interaction are essential for defending against insider threats. By taking a vigilant approach to security, enterprises can confidently ensure sensitive company, employee and customer data is granularly secure."
Dottie Schindlinger,
Executive Director, Diligent
Institute
"The global pandemic
accelerated a massive shift toward remote work and added layers of complexity
to the cybersecurity challenges that organizations face. In the blink of an
eye, organizations transitioned entire workforces and operations to an at-home,
remote model. Suddenly collaboration tools and video conferencing were more
vital than ever before, and IT support committed countless hours to make them
secure, safe and less prone to disruption.
Yet, with all the attention
paid to securing collaboration tools and communication technologies, another
security threat lurks that few organizations are prepared for: insider threats.
Despite elevated levels of
external risk, an organization's greatest or most immediate cyber threat can
come from within. Through unintentional missteps, often due to outdated
security systems or software versions, company employees are often involved in
major data breaches. These usually aren't intentional but rather the result of a lack of consistently applied good
practices that leads to bad outcomes. Meanwhile, the same collaboration tools
that have become vital for remote work can exacerbate the risk of internal
leaks if access privileges and security protocols are not rigorously followed
or enforced.
Given these risks, what should
security look like for organizations? To be secure while still effective, a
collaboration solution must ensure that confidential materials can only be
viewed by the appropriate individuals. Sensitive
communications should be conducted in a closed-loop environment that can be
viewed only by the appropriate parties, even within the organization. Open
communication tools - like Slack, texting and personal email - are great for
informal communication, but they don't often provide the level of security or
access privileges needed for sensitive communications between executives, the
board, legal, HR, risk and compliance teams.. They need secure environments and
workflows that allow them to communicate highly sensitive information safely,
without worrying that it might accidentally be misrouted, forwarded, leaked or
even stolen. And, the system must be intuitive and convenient, so executives
remain within its workflows and processes without straying to other systems and
creating security gaps.
If these steps are taken, it
goes a long way toward mitigating insider threats. Organizational leadership
can perform their roles effectively while protecting the organization, not only
from outside actors, but from inadvertent breaches from within."
##