September is for raising awareness of insider threats
If you haven't been paying attention you may not have noticed that September is Insider Threat Awareness month, with the aim of educating individuals and organizations on the dangers of insider threats and the forms they can take.
Almost half of organizations say they find it difficult to prevent insider attacks according to a recent study, which means it's more important than ever to understand the risk. We've gathered comments from a number of industry experts on the nature of the threat and how to tackle it.
It's often thought that insider threats are necessarily malicious but this isn't always the case according to Jakub Lewandowski, global data governance officer at Commvault, "Two out of three insider threats are unintentional, occurring from employees' negligent behavior, such as not complying with security policies. As data protection laws very likely change in the following months and years, employees may have increased access to customers’ personal data, and therefore need to be fully informed of any subsequent changes to security policies. A lack of awareness could result in sensitive data being leaked accidentally, for example. Hence, Insider Threat Awareness Month in the current climate is crucial and should be used by organizations as an opportunity to evaluate how they will eliminate such risks -- via training, new processes, etc."
This is echoed by Michael Carr, head of strategic development at Six Degrees:
There are a number of misconceptions around insider threat that need to be addressed. Most organizations think insider threat is purely malicious, caused by disgruntled employees deliberately stealing data or rendering systems unusable. They also feel that they are exempt from insider threat, as either their data isn’t valuable enough or they have sufficient protections in place.
Neither of these beliefs are correct. Insider threat is a risk to most organizations, but unfortunately it is very difficult to prevent if the threat is malicious -- the disgruntled employee will most likely already have privileges to systems and data as part of their day-to-day role.
Terry Storrar, managing director of Leaseweb UK thinks the pandemic has added to the problem, "Safeguarding data from insider threats has become more complex and more pressing in the last 18 months. Companies faced unprecedented challenges in the early weeks of the first lockdown, with many scrambling to put in place quick-fix home working capabilities and leaving cracks in their security infrastructure. While external threats gain the limelight, it is no less important to secure against insider threats especially with employees no longer behind office walls."
Steve Moore, chief security strategist at Exabeam points out that in some cases cybercriminals may be actively recruiting insiders:
To add complexity to this already difficult problem, there have been examples of criminal attackers who now offer a cut of the proceeds if an employee assists in deploying ransomware. How many disgruntled or underappreciated employees might consider this opportunity?
When irregular behavior is detected, it should be taken seriously as a possible attack. Various indicators of insider threats exist, and a crucial step in protecting against them is recognizing those signs and establishing a threshold of normal for employees. Unfortunately, most organizations lack the capability to know normal human and device behavior.
Tim Bandos, CISO of Digital Guardian believes raising awareness is key to tackling the problem:
The pandemic has shifted organisations' data security needs. With the rising value and volume of digital assets, there’s greater risk of insiders leaking or stealing sensitive data. Once you grant insiders access to your network, perimeter security offers no protection. Bad actors enjoy the freedom that comes with trusted access and can compromise systems undetected. Guarding against insider threats requires a focus on understanding and securing the data itself and prompting users to do the right thing.
Organizations should roll out security awareness campaigns to educate end users on day-to-day security best practices in order to more effectively manage its assets. That means knowing where the most sensitive data resides and implementing additional safeguards around those systems.
Danny Lopez, CEO of Glasswall agrees but thinks management has a role to play too, "Your employees should not be your only line of defense against cyberattacks. Instead, your leadership teams should understand where your risk factors are and implement proactive technologies, such as Content Disarm and Reconstruction (CDR), which can deliver instant protection. In the face of increasing risk and intricate attacks, there's no better time to make cybersecurity a top priority."
The same view comes from Gary Cheetham, CISO at Content Guru, "An experienced Chief Information Security Officer (CISO) with a well-organised team is key for an effective security strategy, but it is crucial not to overlook the importance of educating the rest of your employees to ensure the insider threat in the organization is minimized. Often, this threat stems from unknowing, non-malicious employees making simple mistakes. Regular training on cyber security and hygiene using engaging and accessible resources is the best way to minimise this risk."
Reviewing security measures is important to dealing with the problem says Troy Gill, senior manager of threat intelligence at Zix | AppRiver:
When it comes specifically to protecting protect login credentials, there are multiple ways beyond a creating more complex username and password. One of the most popular and effective options is two-factor authentication (2FA). Implementing 2FA provides an extra layer of security by making users confirm their identity, most often via a unique code sent to the user's phone, email address or through an authenticator app, after entering their username and password. It's getting easier for cybercriminals to breach even the most complex password, which is why implementing 2FA is critical.
Organizations should use National Insider Threat Awareness Month to evaluate their internal security practices and send reminders to employees and customers alike about the importance of good password hygiene and staying vigilant to possible threats.
"While many companies focus on ransomware and malware as top cybersecurity risks, insider threats should also be top of mind -- whether there is malicious intent or well-intentioned employees who simply make costly mistakes," says Anurag Kahol, CTO and co-founder of Bitglass. "In fact, 61 percent of organizations reported experiencing at least one insider attack last year. As companies move toward a hybrid work model, IT teams will be challenged with safeguarding sensitive corporate data from insider threats both in the cloud and on-premises. This further validates the need for complete visibility and control across the hybrid IT ecosystem."