Micro Focus is now part of OpenText. Learn more >

You are here

You are here

Fortify Your Org Against Insider Threats

Linda Rosencrance Freelance writer/editor
Photo by Ricardo Gomez Angel on Unsplash

Insider threats, whether intentional or unintentional, can have a devastating effect on a company—often resulting in financial and reputational losses.

Intentional insider threats are cybersecurity threats carried out by people working directly with an organization—such as employees, contractors, or business partners—who want to steal data for malicious purposes.

"Typically, this is a disgruntled employee or former employee who still has system access, or a 'hacktivist' employee who got hired with the sole goal of infiltrating the company," said Jeremiah Mason, senior vice president of product management at authID, a biometrics authentication provider.

Unintentional insider threats are those committed by insiders who inadvertently put their organizations at risk. They may do this by doing such things as clicking on a phishing link in an email, not complying with company policies, or even accidentally emailing sensitive company data to the wrong person.

Detecting Insider Threats

Insider threats are currently hard to detect because typical threat-detection tools are designed to find external attacks.

"They're made to look for things coming in from the outside," said Joseph Blankenship, vice president, research director at Forrester Research. "They're not necessarily made for looking at insider threats."

Organizations can use analytics tools that detect changes in user behavior, however. For example, companies might want to pay attention if employees are accessing and downloading massive amounts of data that they don't need to do their jobs, said Blankenship.

In addition, vendors are beginning to offer tools that are built specifically to detect insider threats.

"For example, Code42 has a purpose-built insider-threat tool," Blankenship said. "And now you're starting to see these tools that are built for this actually start looking at how insider threats are different from other threats."

Protecting Your Data from Insider Threats

Insider threats have increased 44% over the past two years, while the cost per insider-threat incident has risen one-third since 2020 to $15.38 million, according to the Ponemon Institute's 2022 Cost of Insider Threats Global Report.

Ponemon reports that 67% of organizations experienced between 21 and 40 incidents annually, up from 60% in 2020. The report also notes that it now takes organizations longer to contain insider threats than it did in 2020, with the number of days increasing from 77 to 85.

Consequently, it is critical for companies to take steps to protect their systems and data against these threats.

Here are some tips to help the to do just that.

Develop/Review Your Security Strategy

Companies should begin by developingor, if already existent, reviewingtheir security strategies to identify and account for security gaps.

"Clearly identify your risks and vulnerabilitiesas well as the technologies, policies, and procedures needed to mitigate them," said Dominick Birolin, vice president of cybersecurity and compliance at Strive Consulting, a division of the Planet Group. "Then create a roadmap to implement missing mitigation components and the metrics you’ll use to determine how well they’re working."

Organizations' strategic plans should also ensure that employees are both properly trained and available to implement the necessary security precautions to quickly respond to insider threats, said Birolin.

Enforce the Principle of Least Privilege

Companies should only give people access to the systems and data they need to do their jobs. Therefore, one of the most important steps—yet also one of the hardest to implement—is the principle of least privilege.

"We don't necessarily want to give them carte blanche access," said Blankenship.

To that end, organizations must thoroughly vet employees, contractors, and vendors before they allow them to access their data and systems.

"This is to ensure that the level of access is only what they need and nothing more," said Justin Blackburn, threat detection engineer, AppOmni, a security software-as-a-service vendor. "[It's] also using role-based access controls and security groups roles and proactively monitoring and auditing those things to make sure people haven't been inadvertently granted access to resources they shouldn't have access to."

"Vigorous authorization and access management are essential—and should include forms of multifactor authentication," added Timothy Morris, chief security advisor at Tanium, a cybersecurity and systems-management company. "Approval processes need to include due diligence prior to granting access, complete with removal when no longer necessary."

Morris also pointed out that threat hunting activities such as log review by SecOps teams can also help in this regard "to flag suspicious and rare behaviors or patterns."

Make Antiphishing Modalities Part of the Day-to-Day Routine

To protect against insider threats, organizations and their employees must make security part of their everyday routines—such as by preventing phishing attacks.

"Everyone holds a level of responsibility in combating phishing attacks," said Jamie Moles, senior technical marketing manager at cybersecurity company ExtraHop. "Positive reinforcement, continuous education, and solid feedback loops are all key to making it stick."

Phishing continues to be a key method hackers use to target employees—creating unintentional insider threats, he said.

"Today, threat actors are targeting employees through sophisticated intelligence gathering—identifying people and positions to ensure they send 'believable' emails complete with relevant subject lines and attachments," Moles said. "These phishing emails can be nearly impossible to identify as hoaxes."

To this end, organizations need to think about how their technologies support their awareness and education efforts.

"IT leaders should have a plan and tools to support catching an intrusion in the midgame, before [threat actors] are able to exfiltrate or encrypt critical data," said Moles.

For example, Moles said, companies should train every employee to:

  • Check the sender's email address. "This is often an easy red flag that users miss when they’re in a hurry or it looks like the note came from their boss or CEO," said Moles.
  • Check the links. "Hover a mouse over the link to see the full URL—or, better yet, Google the item to get to the linked item on your own," said Moles.
  • Check via different methods to determine the legitimacy of an email. "If the legitimacy of an email is suspect, contact the sender directly via another channel [or] a new email, or visit the company's website or social media to connect directly," said Moles.

Disable Departing-Employee Access

When employees leave, organizations should disable those employees' access to systems and data immediately. The same goes for vendors and/or business partners when those partnerships end.

However, when it comes to departing employees, that's not quite enough.

"I think savvy companies also need to have processes in place that allow them to add another level of scrutiny and monitoring of those employees," said Terry Ray, senior vice president of data security GTM and field CTO at Imperva, a cybersecurity software and services company. "Maybe when they give their two weeks' notice, they get put into a high-risk group and somebody is assigned to monitor their activity every day to understand every file or every database that they access."

Keep learning

Read more articles about: SecurityData Security