When it comes to defending against cyber attacks, most companies will focus on keeping potential threats out. They build a security strategy that protects internal systems and data and mitigates the potential impact of external bad actors. The issue with this approach is that it ignores another important attack vector: insider threats.
Insider threats are often employees, contractors, or partners who have access to sensitive data within your organization and expose, leverage, or sell that data. This can be done intentionally — either by a disgruntled employee or someone who has been compromised — or accidentally by someone making a mistake when sharing or storing data. Regardless of the intent, insider threats can have a massive negative impact on a company; unfortunately, it’s a growing trend.
Today, according to data from Cyberhaven, nearly one in ten employees will exfiltrate data in a given six-month period. That’s almost 10% of your workforce that could be putting your organization at risk. These exfiltration events largely include customer data and source code, which can significantly compromise a company’s competitive advantage and reputation.
To stay ahead of this threat, there are a number of things that companies can do. Here are five things your security team can consider as it lays out a strategy for mitigating insider threats.
Having visibility into your data and how it’s being used will help you understand how exposed you are to insider risk. With the right data and user monitoring tools, you can establish how employees and other authorized parties use data in real workflows and set benchmarks for “normal” usage. Plus, this visibility can give you insight into the flow and spreading of your organizational data, revealing risk factors such as:
- Whether users have too much access to data
- Whether there are any unusual workflows being executed
- How data is being used once it is accessed
Understanding these risk areas can then help your team prioritize where to take mitigating steps to prevent the oversharing or misuse of sensitive data. With this insight, you can establish an insider threat program that can detect and prevent malicious insiders as well as insider threats from end-user accidents or negligence.
The other important element from a visibility factor is understanding the various forms that insider threats take. For example, an easily recognizable insider threat could include unusual behavior such as a user trying to access data they don’t need as part of their role or at a time they don’t usually work.
That said, not all insider threats are that easy to identify. A malicious insider that has planned ahead could take their time, slowly accruing data during normal business hours. Preventing this would require more sophisticated monitoring for evasive behaviors such as saving data to compressed ZIP files or encrypting sensitive data.
The insider threats that share data accidentally are even more difficult to identify, as they typically blend with normal user behavior. This instead requires more real-time data monitoring tools that flag when a user has accidentally saved something to their personal Google Drive instead of their corporate one.
Building a culture of security and establishing security policies that account for insider threats is a great way to help prevent accidental exfiltrations. When setting policies, companies must first identify the data that needs protection. In other words, what data could harm your organization if exposed? This will include expansion plans, intellectual property, source code, customer data, and more. The policies you create must account for all these data types and sources.
As a primary goal, the policies should also set clear rules and practices for how (and by whom) each data type should be accessed and used. There should be parameters for controlling that access, as well as specific permissions for how the data can be used and via which applications.
While being able to respond to insider threats is an important capability to have, prevention is also key. Many insider threat tools aren’t set up to actively block an insider threat when it’s happening, and they may not be nuanced enough to understand that a suspicious user action requires additional research before confirming it is an insider threat. As such, there’s a growing need for insider threat tools that allow for in-line enforcement and are able to maintain a consistent context of what data is sensitive within an organization. This way, companies can be better equipped to react in real-time whenever information is about to be exfiltrated.
When it comes to insider threats, your employees can either be your greatest point of vulnerability or your greatest defenders. Getting this right means educating your users so that they know how to handle data and reduce the prevalence of insider negligence. This education should go beyond regular training sessions and refreshers — it should be a continuous thing that individuals come across on an ongoing basis. For example, if someone is making a mistake, a pop-up could advise them not to do that and then direct them to more information as to why.
This has the added benefit of making employees part of the solution rather than building distrust with a more rigid and disciplinary approach.
Because of the dynamic nature of insider threats, they are particularly difficult to mitigate. Staying ahead of these vulnerabilities requires taking a proactive and comprehensive approach, one that relies on data-rich tooling and monitoring to quickly identify any potential threats and respond effectively.
Ali Cameron is a content marketer that specializes in the cybersecurity and B2B SaaS space. Besides writing for Tripwire’s State of Security blog, she’s also written for brands including Okta, Salesforce, and Microsoft. Taking an unusual route into the world of content, Ali started her career as a management consultant at PwC where she sparked her interest in making complex concepts easy to understand. She blends this interest with a passion for storytelling, a combination that’s well-suited for writing in the cybersecurity space. She is also a regular writer for Bora.