September is
National Insider Threat Awareness
month, a month dedicated to
education and awareness around the risk that insider threats pose to
organizations. Bad actors inside a company, and even compromised insiders or
account takeovers, can do significant damage. This is why it's so important to
be able to protect against, identify, and reduce the harm caused by insider
threats. Read below for advice from tech leaders and experts about facing
insider threats.
--
Christopher Rogers, Technology Evangelist at Zerto
“The risks presented by insider threats remain very real. The 2022 Cost of Insider Threats: Global Report revealed that insider threat incidents have risen 44% over the past two years. An insider threat could be a current or former employee, contractor, or even a partner. They could be malicious, stealing information for personal use or sabotaging data or systems before leaving the organisation, or they could be unwittingly complicit in falling foul of phishing attacks. Whatever the impetus, it is their position inside of the organisation that makes insider threats so dangerous. And the continual rise in digital transformation, BYOD, and remote working, is only making it harder to identify and mitigate such threats.
Employees are arguably an organisation's best and first line of defence. To mitigate against the careless employee, businesses should invest in regular training on cyber hygiene and security best practices including how to spot a phishing email and where to report them. A tactic organisations take is to periodically send their employees sample dummy emails as a phishing email ‘drill’ as part of this training process.
In addition to a commitment to training, insider threat or not, in 2022, organisations are well aware that it is no longer a case of ‘if’ it will be attacked but ‘when’. Investment in effective disaster recovery technology, features including continuous data protection (CDP) meaning recovery within seconds not days, is the only way organisations can protect themselves from the real killer of an organisation - downtime. A CDP solution enables recovery of an organisation’s entire site and applications within a few minutes with only several seconds of data loss. By acting smart today and implementing the right protocols, businesses can not only limit the frequency and severity of insider threats, but they can recover fully should the worst happen."
++
Raffael
Marty, EVP and GM Cybersecurity, ConnectWise
"To effectively prevent
and stop insider crime, organizations need to have a comprehensive security
program in place that focuses on both preparedness and visibility. Preparedness
means having a plan in place for the day something happens. It should cover the
playbooks for how to react in case of relevant organizational events and
security relevant incidents - from what to do when an employee leaves the
organization, to the specific procedures enacted in the event of an electronic
threat such as ransomware or denial of service attack. Visibility, on the other
hand, means being able to identify and effectively react to potential adverse
actions. Monitoring devices can help organizations achieve greater visibility,
but that's only the first step. Visibility also expands into understanding what
employees are doing and how they are interacting with an organization's
sensitive data. Lastly, and perhaps most importantly, organizations must make
sure employees are trained on cybersecurity issues like phishing, which is
still one of the main initial vectors of attacks. That's why Insider Threat
Awareness Month is so important for organizations of every size, despite the
fact that the topic comes up most often in the context of larger
organizations."
++
Amit
Shaked, CEO and co-founder, Laminar
"An
organization's data is its greatest asset, but also its biggest potential
downfall. With the cloud allowing data to be spread around to various places
data protection teams may not even be tracking, it opened companies up to even
more risk than ever before by creating what is known as ‘shadow data.' Shadow
data refers to an organization's data that is not copied, backup or housed in a
data store that is not governed, under the same security structure, nor kept up
to date. This data is a big target for insider threat incidents because if it
is exfiltrated, it goes under the radar of traditional data protection
tools.
According to recent research, more than half of organizations don't have a public cloud
data security tool in place to monitor for insider threats and data
exfiltration, and more than a third can't tell whether an internal employee has
ever accidentally or maliciously accessed sensitive data. The key to preventing
insider threat incidents in these environments and preventing malicious,
accidental or compromised insiders from taking advantage of shadow data is
using a cloud-native data security platform that uses the dual approach of visibility
and protection. Doing so allows data security teams to know for certain which
data stores are valuable targets to both inside and outside adversaries and
ensure proper controls, which allows for the quicker discovery of data
leakage."
++
Gunnar Peterson,
CISO, Forter
"When people
think of insider threats, oftentimes their mind immediately goes to a malicious
employee out for financial gains. However, the more dangerous instance (and
often overlooked) is the compromised insider. A compromised insider or account
takeover (ATO) is a user whose account credentials have been harvested by an
adversary via phishing or similar tactics who then has easy access to sensitive
company systems or assets.
With security
researchers
warning that phishers are having ‘remarkable' success using text messages to
steal remote access credentials and one-time passcodes from employees at some
of the world's largest tech companies and customer support firms, we will
likely begin to see compromised insider incidents on the rise.
This Insider
Threat Awareness Month, I want to remind security teams across all industries
that the simplest defenses in our toolbelt, credential and identity management,
can be the difference between a secure system and a headline-grabbing breach.
Many breaches
are the result of businesses relying on automated access control and realizing
too late when a user has been hijacked. With some of the new phishing scams
around, the adversaries are using Telegram instant message bots to forward
submitted credentials in real-time, allowing the attackers to use the
compromised credentials and one-time code to log in as the employee.
To succeed
against ATO attacks and prevent compromised insider incidents, organizations
must build robust identity management systems and invest resources into
building a learning system that evolves to identify anomalous user activity. Doing
so can leave organizations protected from insider threats year round."
++
Renata Budko, Head of
Product, Traceable
"National
Insider Threat Awareness Month helps demonstrate why it is so crucial to
protect against, identify, and reduce the harm caused by insider threats.
Whether there are internal and external bad actors committing ransomware or
other forms of dangerous malware attacks, insider threats are a significant
problem that needs to be addressed with a 306-degree perspective. This is
important as the cost of these attacks are not just calculated in terms of
ransomware payments, but also includes the nearly unfathomable cost of
operations disruption, lost sales, legal costs, legal penalties, insurance rate
increases, and/or a decline in customer confidence.
A new shift
has occurred within the software development industry whereas APIs are presenting new attack surfaces and
therefore new opportunities for hackers. A way to protect against these insider
threats is through API security technology that identifies APIs, assesses API
risk posture, prevents API assaults, and offers deep analytics for threat
hunting and forensic investigation. With distributed tracing and machine
learning models for API security across the full development lifecycle,
organizations may be more secure and resilient by using visual representations
to analyze user and API patterns, identify anomalies, and stop API assaults."
++
Surya Varanasi, CTO,
StorCentric (www.storcentric.com)
"This September 2022 marks the
fourth annual National Insider Threat Awareness month. It aims to shine a
spotlight on the critical importance of defending against, detecting and
mitigating damages from insider threats. Indeed ransomware and other types of malicious
malware attacks are not only perpetrated by external cybercriminals, but
internal bad actors as well. And, the expense is not only measured in
ransomware payments, but also the almost incalculable cost of operations
downtime, lost revenue, legal fees, regulations compliance penalties, a rise in
insurance premiums, and/or a loss of customer trust.
The need to backup data has
become ubiquitous. But now, as ransomware and other malware attacks continue to
increase in severity and sophistication, we understand the need to protect
backed up data by making it immutable and by eliminating any way that data can
be deleted or corrupted.
What is required is an
Unbreakable Backup solution that is able to create an immutable, object-locked
format, and then takes it a step further by storing the admin keys in another
location entirely for added protection. Additionally, the Unbreakable Backup
solution should include policy-driven data integrity checks that can scrub the
data for faults, and auto-heals without any user intervention. Ideally, it
should also deliver high availability with dual controllers and RAID-based
protection that can provide data access in the event of component failure. In
deployment of such a solution, recovery of data will also be faster because
RAID-protected disk arrays are able to read faster than they can write. With an
Unbreakable Backup solution that encompasses these capabilities, users can ease
their worry about their ability to recover - and redirect their time and
attention to activities that more directly impact the organization's
bottom-line objectives."
++
Brian Dunagan, vice
president of engineering, Retrospect, a StorCentric
"During National Insider Threat
Awareness month we are reminded of the multitude of reasons a sound data backup
strategy and proven solutions are critical. Given today's economic and
geopolitical climate it is a given that at some point virtually all
organizations will suffer a successful cyber-attack be it from internal or
external forces. Given this inevitability, it makes sense that the end
customers I speak with, whether they are from private, public, or government
organizations, are putting an increasing focus on their ability to detect and
recover as quickly, cost-effectively and painlessly as possible.
A backup solution that includes
anomaly detection to identify changes in an environment that warrants the
attention of IT is a must. Administrators must be able to tailor anomaly
detection to their business's specific systems and workflows, with capabilities
such as customizable filtering and thresholds for each of their backup
policies. And, those anomalies must be immediately reported to management, as
well as aggregated for future ML/analyzing purposes.
Certainly, the next step after
detecting the anomaly is providing the ability to recover in the event of a
successful ransomware attack. This is best accomplished with an immutable
backup copy of data (a.k.a., object locking) which makes certain that the data
backup cannot be altered or changed in any way."
++
Martin Rehak, CEO and
founder at Resistant AI
"Shallowfakes-the dilemma
facing insurers dealing with increased digital document fraud. Fraud continues to be a serious
threat to the insurance industry.
Contributing to this fraudulent
scenario are so-called "deepfakes". But while these have become increasingly
prevalent in fraudulent insurance claims, the insurance industry is now seeing
more of what are called "shallowfakes".
The difference between
deepfakes and shallowfakes is that while deepfakes require AI to create them,
shallowfakes can be created using only basic photo editing software, such as
Photoshop.
While shallowfakes don't
require AI to create them, AI can significantly increase the chances of
detecting them. The use of AI solutions-combined with human instinct, attention
to detail, and awareness and knowledge to check the validity of what is being processed-can
prove a win-win for detecting fraudulent documentation.
The cost of inaction to the
insurance industry may be high. In all likelihood, few if any insurance firms
have yet addressed the growing threat posed by shallowfakes. Yet it should be a
high priority for them-without immediate action being taken to mitigate the
impact of shallowfakes, they could be a threat that is hard to stop."
++
Neil
Jones, director of cybersecurity evangelism, Egnyte
"While cyberattacks
are hardly a new phenomenon, they have grown in sophistication in recent years,
leaving many organizations vulnerable. However, while vigilant organizations
have stepped up their protection measures, many risk overlooking an important
contributor to cyber attacks: insider threats.
Accounting for
roughly 22% of security
incidents, insider threats come from those within an organization, such as
employees or business associates. While not always malicious, insider threats
can be even more devastating than external attacks, because authenticated
insiders are able to gain access to a much wider playing field than the average
cyber-attacker.
Common
contributors to insider attacks are employee turnover, poor data governance
controls and user negligence. Examples can include the following: a current
employee accidentally sharing confidential information with a third party, an
ex-employee downloading files to take to their new job at a competitor, or a
former business associate sharing privileged company insights publicly to
embarrass the organization. Ransomware gangs also sometimes work with company
employees directly to facilitate attacks. Whatever the cause, the impact can be
significant, which is why companies must assume that everyone is a
potential insider threat.
Considering
there was a 47% increase in
insider threats between 2018 and 2020, organisations need to do more to protect
against this growing threat. Utilizing a data governance platform that
leverages machine learning is a good first step to prevent "data leakage," as
this ensures users have access to sensitive information on a "need to know"
basis. For example, there's no reason that everyone at the company should have
access to financial growth plans or HR documents listing sensitive employee
information without at least justifying their request first. Limiting file
access and offering holistic awareness training will be key in combating
negligence and curbing the spread of internal information.
This Insider
Threat Awareness Month, and always, organizations should take a proactive
approach that detects misuse before it's too late."
++
Matt
Rider, VP of security engineering EMEA at Exabeam
"Although
responsible for 22% of all security incidents (according to VBIR 2021) Insider
threats are not all one and the same. They come in an array of shapes and sizes
and each one can threaten the security of an organization in a unique way. It
is helpful therefore to break these down into three distinct categories:
malicious, compromised, and negligent.
"The
‘malicious insider' is an employee who intentionally steals data, either for
personal gain or to negatively impact the organization involved - mature
security organizations will ensure that they work closely with HR teams to help
identify and monitor potentially malicious insiders. A ‘compromised insider',
however, generally acts without malice and usually has no idea they've been
compromised. All it takes is clicking on a link in a phishing email or opening
an infected file and their credentials can become compromised. Finally, a
‘careless' or ‘negligent insider' is someone who leaves their laptop on the
train, walks away from their unlocked workstation, or simply fails to follow
cybersecurity best practices. These individuals can be particularly
challenging, because their actions are very hard to predict and defend
against.
"While
improving general awareness of insider threats can help address some of the
core risks, there are numerous other preventative steps that many organizations
still don't apply as rigorously as they should. First and foremost,
organizations need to invest in relevant cybersecurity training for all
employees. Next, businesses should invest wisely in technology solutions and infrastructure
that enables them to see the whole picture and address the challenge of insider
threats. From a technology perspective, one of the most potent weapons
currently available is user and entity behavior analytics (UEBA), which allows
an organization to create a baseline of ‘normal activity' and thus flag any
major deviations as potential security alerts, which security teams can then
investigate."
++
Dalia Hamzeh, Senior Principal Enterprise Security Program
Manager, Progress
"Insider threat is commonly associated with malicious
intent, but statistics continue to prove that attacks resulting from employee
negligence, a type of insider threat, is much more likely to be the source of a
security incident. These threats could include an employee downloading pirated
software on a company device that contains malware or reusing a corporate
password on personal accounts. Training your organizations' workforce to
identify suspicious insider behavior, and reinforcement of those efforts, should
be a key initiative year-over-year. Additionally, an organizations' awareness
agenda should be sure to include role- or team- specific training for employees
to detect the less obvious threats - such as timely review of employee
terminations and access or the software employees are downloading.
When employees are educated on specific indicators of
insider threats and the damaging impact they potentially have, they're more
likely to notice and report them. It's also important to build a culture in your
organization where employees are encouraged, and feel comfortable, to flag
potential threats to the cybersecurity team."
++
Richard Barretto, Chief Information Security Officer, Progress
"Recognizing Insider Threat Awareness Month is a great way
to open lines of communication within your organization to combat insider
risks. The remote work shift has catalyzed and changed the way we look at
insider threats. What we once considered ‘insider,' within the walls of our
organization, has theoretically disappeared. That's why in today's age of
remote connections, it's more important than ever for organizations to take the
vital actions needed to protect and defend against them. This means posturing
your security and network architecture as if every person and device is a
hostile threat.
The goal here is to segment access and protected
information across your corporate network and have the necessary controls in
place to equip your organization to identify and mitigate those threats at
lightning speeds. Adapting this Zero Trust Model-granting least-privileged
access, implementing sign-on verification measures where possible and
practicing good cyber hygiene-should be considered a top priority for every
organization in 2022. It's also important for organizations to have an early
warning system for WFH employees and ability to remotely manage their employee
devices in the case there has been a compromise and a device needs to be
quickly wiped."
++
Tim Prendergrast,
CEO, strongDM
"Virtually
every major security challenge, including insider threats, requires one core
element: access. While much has been done to address physical security and
application access, there is one glaring vulnerability: infrastructure access.
In honor of Insider Threat Awareness Month, I would like to remind company
leaders that this gap is critical. After all, getting access to infrastructure
is equivalent to getting the keys to the kingdom. Whether the insider was
malicious, accidental, or is being compromised by a bad actor, it's important
that CISOs and other IT leaders take the necessary steps to centralize their
access approach. Doing so can allow them to manage access across databases,
servers, cloud service providers, and even newer tools like Kubernetes, to get
the highest standards of security against inside and outside threats without
compromising productivity."
##