Cyber security focuses on external threats from hackers, ransomware operators, and other cybercriminals. Rogue insiders do not get the attention they deserve. Users with legitimate access may steal customer information, intellectual property, or trade secrets. Ponemon Institute’s 2020 Cost of Insider Threats study reports the cost of internal threat for enterprises at USD 11.45 million annually, on average. Insider threat incidents have risen 44% over the last two years. 

Insider threats take place through access abuse. Hackers need to breach the network to syphon off data or slip in malware. Insiders who have access to the network do the same harm, either deliberately or inadvertently. Such insiders include current employees, former employees with active passwords, contractors, business partners, suppliers, and vendors.

Ransomware attacks are increasing and you need to improve your cybersecurity. The potential harm from rogue insiders is often more than the potential harm from hackers. Even after breaching the network, hackers must search for sensitive data. Enterprises with top-notch network monitoring tools could detect the breach and shut down the network. But rogue insiders are aware of the location of the sensitive data, as they often access it as part of their job requirements. Since they have legitimate access, regular network monitoring tools do not raise an alarm when they syphon off data.

The nature and type of insider threats

Addressing internal threats requires understanding the rogue insiders and devising strategies to pre-empt each type. The Ponemon Institute identifies insiders who compromise the network as negligent, criminal, or credential.

Negligent insiders

The number of records breached from 2018 to 2019 rose by a whopping 200%. The “2020 IBM X-Force® Threat Intelligence Index” lists inadvertent insider threats as the primary reason for the rise. A Ponemon Institute study attributes 63% of the internal data breach incidents to negligence.

Many employees with access rights are careless. Their ignorance or lackadaisical attitude makes them prone to make mistakes or violate the IT governance policy. They leave a door open for hackers.

Gartner refers to negligent or naïve employees as “pawns.” Cyber criminals manipulate these pawns to perform malicious activities. A hacker may, for instance, slip in a genuine-looking email and induce the employee to click on a malicious link in the email.

Goofs, or ignorant, arrogant users, bypass security controls for convenience. Goofs are aware of the risks, but time pressure forces them to take shortcuts, and in the process, compromise network security.

Rogue insiders

Rogue employees use their access to steal customer information or intellectual property. They collaborate with professional hackers, competitors, or enemy nation-states.

Rogue insiders include

• Employees or others with access to the network seeking financial gains.
• Employees blackmailed to cooperate with the hackers.
• Disgruntled employees or ex-employees who steal customer data and sell it to competitors.
• Infiltrators, or professional criminals who join the enterprise , to get authenticated access. Once they get access and go outside the cross-hairs of cyber defence, they steal data or wreck damage.

“Lone wolves” who act with no external influence or manipulation. They may have some ideological motivation to wreak havoc and destruction. Lone wolves working as system or database admins have an elevated level of privilege, making them very dangerous.

Tools and approaches to manage insider threats

The nature or type of insider threats does not mitigate or change the damage done to the enterprise. Enterprises need to co-opt tools that address insider threats as part of their cyber security strategy.

1. Ensure visibility. As basic requisites to ward off internal threats, ensure transparency and complete visibility into the network. Most corporate networks today are a complex labyrinth of technologies, devices, and applications. Adoption of every new technology or application increases the complexity. Organic growth creates disjointed systems and silos, complicating management access rights and privileges. A malicious insider or infiltrator may take advantage of such opaque networks to perform their deeds under the radar.
2. Perform periodic security risk assessments. Identify critical assets, their vulnerabilities, and potential threats.Expand the assessments to internal threats, in addition to external threats.
3. Conduct proactive network monitoring. Establish a baseline of normal network traffic behaviour. Next, aggregate security data into a centralised monitoring solution and configure real-time alerts on deviations from normal behaviour. Telltale signs of deviations include accessing files outside working hours or downloading suspicious applications.
4. Implement identity and access management. Identify each user who accesses the network, and maintain activity logs. Deploy two-factor authentication to authenticate legitimate users..
5. Deploy network intrusion detection and prevention systems. Strengthen network defences such as spam filters, web filters and NAC to pre-empt hackers targeting “pawns.” 
6. Strengthen data governance. Implement strict policies for the use of removable media. Purge orphaned and dormant accounts.
7. Strengthen physical security. Strengthen physical access control for rooms hosting critical servers.
8. Strengthen recruitment. Identify candidates with the right fit and tick the boxes on the trust factor. Take background checks seriously. Use the probation period to assess the integrity of the new hire. Red-flag suspicious background or behaviour.
9. Raise awareness. Make employees aware of the cyber threats and the implications of carelessness.Never assume employees, even those with technical qualifications, are aware of cyber risks. Promote a security-conscious culture, and offer periodic training on cyber dos and don’ts.

Deploy access management and information protection tools

Information Access Management (IAM) solutions safeguard against inappropriate access privileges and policy violations. The IT security team may manage access and privileges at the user level seamlessly, at scale. These solutions may also validate the hardware and software seeking access. 

Privileged-access-management (PAM) solutions model user behaviour and assign risk scores for each user. These tools use historical data to create baselines of normal behaviour for each user. The risk score comes with deviations from such normal baselines. The risk scores, linked to specific events, such as changes in user geography or downloading files to removable media, enable enterprises to take immediate actions when a risky event occurs.

Robust information protection tools such as ProofPoint apply security solutions even against insiders. The tool offers protection against accidental mistakes and deliberate insider attacks across all endpoints, emails, cloud apps and other data repositories. ProofPoint’s cross-channel DLP detectors feature AI-powered data classification. Advanced features include dictionaries, pre-trained classifiers, smart Ids, regex, metadata tagging, proximity and exact data matching and file fingerprinting. The security team gets contextual insights, including detailed alerts, enabling prompt incidence response. A spin-off benefit is easy compliance with regulations such as HIPAA and GDPR.

These tools use machine learning to distinguish between a user’s regular and malicious activity. For instance, if a user attempts multiple login attempts in the dead of night, the tool may block access.

Potential remediation includes:

• Blocking the rogue user by revoking access
• Insisting on a new multi-factor authentication.

A comprehensive policy co-opts insider threat remediation playbook that details the remediation approaches.

Information has become a critical source of competitive advantage in Industry 4.0. Businesses that manage insider threats become resilient and soar to greater heights of success.