Your organization has made numerous investments to protect against external threats. But what about internal threats?
Threats today aren’t just external, companies face challenges detecting and mitigating a wide range of internal threats. This includes individuals with legitimate access to your organization’s network who might use this access in a way that causes damage to your company. These threats include disgruntled employees or those with malicious intent, employees willing to sell your data to nation-state actors or competitors to make a quick buck, or even the rogue software developer looking to take your company’s intellectual property with them to their new start-up. Also, we cannot forget the threats that stem from employee mistakes, carelessness, or lack of knowledge.
Growing Risks and High Costs of Insider Threats
And your internal threat risk is growing – and costly. A recent report revealed that 74% of companies are at least moderately vulnerable to insider threats, with an average cost to an organization in 2023 of $15.38 million.
Many companies have controls in place, which may include a data loss prevention (DLP) tool, native audit logs to see who’s touching the files, or properly configured firewalls/edge controls. But it’s imperative to have a multifaceted approach as your highly technical individuals typically know where your technical controls exist and likely can find a way around those individual controls. Some organizations have even reported instances of individuals taking photos of files with their phones, a scenario in which your DLP tools or alerts won’t protect you.
Strategies to mitigate insider risks:
- Enhance Audit Logging: Native audit logs from wherever you are storing data. Whether you’re storing it in OneDrive or an on-prem network attached storage device, a product such as Varonis that analyzes all those logs in near real time can help you better understand user behavior as these tools have built-in user behavior analytics. In these cases, you can see that, “Hey, this person touched 1000% more files today than they did previously,” (Ex. opening large amounts of files to scan with smart phone) sending an alert that can be configured to kick off a script to lock that user’s accounts to stop the threat.
- Least-Privilege Access Model: Implement a least-privileged model where employees only have access to the files and applications required to do their daily duties. With a least-privileged model and privileged account management you can leverage those accounts to put procedures in place to control who has access to your company’s most important data.
- Cloud Access Monitoring: Leverage a cloud access security broker (CASB) to give you controls to make sure that only a corporate device or a company-approved device can touch the data. Having a CASB in place can act as the gatekeeper on who is or is not allowed in, and what data they’re allowed to access, dependent upon whether they access from a company resource or not.
- Utilize Security Awareness Training for Insider Detection: Ensure you have a good security awareness program in place. Education is key in teaching team members about scenarios that could happen, and how to respond. For example: one of our employees received a message that came from a colleague over a 412-area code. Realizing something seemed off, they looked up their coworker’s cell number and saw it was a completely different area code, so knew it was an imposter.
- Create Anonymous Reporting Channels: Implement a hotline or other confidential communication channel for employees to report anonymous tips. That way, if they see something and want to say something, they won’t be concerned about retribution.
At CyberOne, we firmly believe that organizations should adopt controls based on their security condition level (SECCON) to reasonably achieve security objectives. We recommend Insider Threat monitoring at multiple layers to help quickly identify, detect, and respond to common threats. We are excited to expand the conversation, contact us at email@example.com.
Authored by Scott Wright, Senior Security Solutions Architect