Mitigating the risks of insider threats to your organisation’s cybersecurity

Do you know that over one of every three enterprises worldwide has suffered from cyberattacks or cybersecurity risks due to insider threats? In monetary terms, the damage to business due to credential theft by rogue insiders in 2020 was $27.9 million.

What are insider threats?

Insider threats are cybersecurity risks that originate from within the enterprise. Employees and other users with access credentials offer threat actors a way into the network.

All businesses empower employees and some ecosystem partners with access credentials. These users may fail to protect sensitive data, either inadvertently or deliberately.

Insider threats come in three forms:

Careless authorised users fall prey to phishing or social engineering attacks. Today, with deep fake technology, such attacks are on the rise. Cybercriminals impersonate superiors to make employees click on malicious links or disclose OTPs.
Malicious insiders try to inflict deliberate harm owing to greed for money, greed to make more money, or ill will towards the company. They may also be professional spies planted by competitors, threat actors, or enemy nation-states.
Compromised users could be victims of blackmail, such as sex trapping by professional cyber criminals.

Countering external threats requires a different strategy compared to external threats. Insiders have legitimate access credentials and remain immune from traditional cybersecurity deployments. Firewalls and intrusion detection monitoring systems cannot catch them.

The following approaches thwart insider threats.

1. Implement strict access policies and controls.

Internal threats occur when users misuse their authorised access credentials. If they don’t have access credentials more than what they need to only do their jobs, these threats do not come to pass.

Traditional access -controls allowed users access only during office hours and from the office PC only. Remote work and competitive pressures render such traditional access controls unviable today. Enterprise users need remote access round-the-clock. To reduce the risk of internal cybersecurity threats in such a changed reality:

Limit access to sensitive data and systems on a need-basis, using the principle of least privilege. When users have only the access needed to perform their tasks, their attempts to access anything extra trigger an alert.
Require multiple levels of authorisation whenever feasible. For instance, require authorisation from the system admin when any user wants to copy data to a removable device.
Use multi-factor authentication (MFA) as an additional layer of security. Even if a compromised user discloses the password to an intruder, the MFA can pose a roadblock to cybersecurity attackers.

2. Strengthen physical security

Rogue insiders steal sensitive data using pen drivers and other external devices. Or they may try to sabotage the IT infrastructure to cause downtime or losses.

Control removable media, such as USB drives. Have policies that mandate proper authorisation for the movement and removal of such devices.
Restrict physical access to server rooms and other areas hosting critical IT infrastructure. Ensure these rooms are always under physical lock and key, and log all visitors. Deny access to personnel who do not have a reason to access these spaces.
Monitor all critical facilities using motion sensors and CCTV cameras with night vision.
Enable session screen-capture technology on all critical servers and devices privileged users’ access.

3. Establish a strong security culture.

Foster a culture of cybersecurity awareness to pre-empt the damage caused by careless insiders. A culture of oneness and transparency, coupled with empowerment, prevents ill will towards the enterprise.

Train employees on cybersecurity best practices. Make them understand the importance of protecting sensitive information. Make them competent to recognise and report suspicious emails or other phishing attempts.
Set easy mechanisms for employees to report suspicious activities anonymously. Also, have systems to protect whistle-blowers from retaliation.
Include background checks when hiring new employees or onboarding new supply chain partners to weed out candidates with dubious records.

4. Conduct regular network monitoring.

Tracking unusual or suspicious behaviour is the most effective way to identify and thwart cybersecurity threats. Some of the tell-tale instances that indicate rogue insiders at work include:

Repeated attempts to access enterprise databases, especially during odd hours.
Unusual logins or login attempts
Excessive or bulk data download, and so on.

Standard tools to enforce monitoring and thwart insider risks include:

Data leap prevention (DLP) tools to monitor data in motion, at rest, and in use and block any activity outside the set rule.
Security information and event management system (SIEM) tools to monitor and log user activities. SIEM tools interpret changes to user profiles, invalid login attempts, object changes, and more. These logs spot abnormalities and enable incident investigations.
Log management and change auditing software to deliver enterprise-wide visibility.

Consider the case of a ConocoPhillips employee who created fraudulent invoices and syphoned off $3 million from the oil major. A robust insider threat management platform identifies such fraudulent invoices and nips the threat in the bud.

54% of enterprises use DLP software, and 50% use user behaviour analytics software to track insider risks. 47% of enterprises actively monitor and deploy surveillance mechanisms on their employees. These tools trigger alerts when employees perform out-of-normal activities.

But collecting endpoint telemetry for all users all the time is neither desirable nor practical. Advanced tools such as Proofpoint offer a more adaptive approach focusing on risky internal users. Risky users may include employees on notice, third-party contractors, senior executives with full access, and so on. The admin can set up rules to generate alerts when users copy data to a USB or upload data to a cloud sync folder. Proofpoint’s lightweight endpoint agent provides deep visibility into user activity. Admins can create user groups they identify as risky. They may change policy configurations to adjust the amount and types of data collected for each user or user group.

These advanced tools also block users from performing out-of-policy interactions with sensitive data. In many cases, users do not realise their actions are risky. Proofpoint allows admins to notify users in real time when they commit actions that violate company policy. They could also seek user justification and approve the action if legitimate.

Proofpoint’s Information Protection and Cloud Security platforms help admins understand the context behind user behaviour and identify the best response to insider-led incidents. Proofpoint Endpoint Data Loss Prevention (DLP) and Proofpoint Insider Threat Management (ITM) tools identify risky user behaviour and enable quick responses. Proofpoint ITM also offers deep visibility into user activity and provides contextual insights. Network admins get an intuitive central console to set up policies, triage alerts, hunt for threats and make quick responses.

Mitigating insider threats is an ongoing effort. Success depends on a multi-faceted proactive approach to security.

Andre Rodrigues

As a software and IT solutions advisor, Andre leads a team of technology consultants for implementing Account-based Marketing strategies to IT customers. In his 30 years of working experience, across the region, Andre has helped numerous clients improve existing business systems and IT infrastructure. This experience has helped Andre secure a unique knowledge and understanding of the challenges faced by these sectors.