In 2013, a contract employee with appropriate access to a number of secure systems exfiltrated unknown amounts of sensitive information, copied the information to storage devices and walked out of a secure facility. He reportedly took about 1.5 million documents, although the totality of the information taken, methods of access and extent of data indexing that occurred are still not part of the public information domain.
The incident serves as a textbook example of what can go wrong when proper controls are either not in place or are not serving their intended function.
More importantly, this pivotal point in cyber history is a cautionary tale for any enterprise with proprietary data and information that serves as the corpus of their intellectual property or as a foundation for their superior business intelligence: Ensure that you can effectively monitor your systems to mitigate the risk posed by the insider threat.
Every organization is vulnerable. There was one incident earlier this year that involved a major breach in the U.S. caused by a malicious attack allegedly perpetrated by a single individual at a partner company. There was also an incident in South America in which an unprotected database exposed sensitive data of more than 20 million people. And a situation where an insider was negligent in running a routine report and leaked information on thousands of users.
The common theme in these incidents is that they are examples of the damage that can be caused by insider threats. As a business leader, the last thing you want is an attack from a user with existing access to your environment. It doesn’t really matter whether a breach is caused by malice, negligence or mistake – you have to make sure your cybersecurity teams are putting the processes and technologies in place to mitigate all types of insider threats and limit the damage if a significant security incident does occur.
Insider threats are particularly pernicious because of the knowledge, access and information malicious insiders may possess, and because even individuals who are cybersecurity-aware can make inadvertent or careless errors.
The average number of incidents involving employee or contractor negligence increased from 10.5% to 13.4% between 2016 and 2018, according to a comprehensive study by Ponemon Research. The report notes: “It is clear that employee or contractor negligence represents the most expensive insider profile.” The average cost of insider-related breaches was $8.76 million for the companies surveyed. The annualized cost for negligence was $3.81 million.
A separate report by Cybersecurity Insiders offers more sobering news: 70% of organizations say insider attacks are becoming more frequent; 68% feel extremely to moderately vulnerable to insider attacks; 85% find it very difficult to moderately difficult to determine the actual damage of an insider attack, and 56% believe detecting insider attacks has become harder since migrating to the cloud. The study confirms that information security leaders are most concerned about inadvertent and negligent insider breaches, even more so than malicious breaches.
To lessen the risk of insider breaches, one step is to foster an overall culture of cybersecurity, with ongoing training, appropriate activity logging, and involvement of multiple departments, such as HR, legal and others, in insider threat process and mitigation. Many companies are establishing dedicated programs to specifically reduce potential insider threat issues.
You have to ensure that your security teams and users are aware of—and follow—best practices, often referred to as good cybersecurity hygiene. This includes keeping up to date on patches, using multi-factor authentication and proactively managing access privileges. For those looking for guidance on the fundamentals, the Center for Internet Security (CIS) 20 Critical Security Controls are a good starting point. (Add link later)
A Zero Trust architecture allows for increased network visibility and simultaneously lessens the chance of unwanted connections or actions taking place without the approval of the owner of the data. There are a number of myths concerning the difficulty of implementing Zero Trust. In reality, you’re better off talking to deeply experienced practitioners who are living the Zero Trust model.
Cybersecurity success is increasingly dependent on machine learning, artificial intelligence and automation, particularly in threat intelligence, detection and response. For example, machine learning can help with early warnings and prevention of either negligent or malicious insider activity, using algorithms to identify threats before they can cause damage. Make sure you have these tools in place.
Many businesses heavily focus on malicious activities from external threats and often discover gaps exposing them to threats from the inside. But insider mistakes and negligence are growing, so do pay attention to what’s happening inside your environment to minimalize all threats. You don’t want to be caught surprised.
We are at a time when business leaders should be taking a more active role in securing their organizations. A single breach can be devastating in terms of lost revenue, damage to brand reputation, customer goodwill and the costs involved in dealing with the incident.
Insider threats will always be there, malicious or not. The question you have to ask yourself and your teams is: Are we doing everything we can to mitigate risk? If not, take a page from the CERT Guide to Insider Threats, which provides valuable direction and guidance to securing your organization, including this plan.
16 Steps to Mitigating Insider Threats
- Consider threats from insiders and business partners in enterprise risk assessments.
- Clearly document and consistently enforce policies and controls.
- Institute periodic security awareness training for all employees.
- Monitor and respond to suspicious or disruptive behavior – start with the hiring process.
- Anticipate and manage negative workplace issues.
- Track and secure the physical environment.
- Implement strict password and account management policies and practices.
- Enforce separation of duties and least privilege.
- Consider insider threats in the software development cycle.
- Use extra caution with system administrators and technical or privileged users.
- Implement system change controls.
- Log, monitor and audit employee online actions.
- Use layered defense against remote attacks.
- Deactivate computer access following employee termination.
- Implement secure backup and recovery processes.
- Develop an insider incident response plan.
M.K. Palmore is Chief Security Officer Americas for Palo Alto Networks. Previously, he spent 22 years with the FBI, most recently as Assistant Special Agent in Charge of the Cyber Branch.