Employees, contractors and business partners are all examples of what is commonly known as the insider threat – an internal threat actor that can access, leak or steal company data. Insider threats present one of the biggest risks to businesses today. According to the 2018 Insider Threat report, 90% of organisations are vulnerable to insider threats, and more than 50% have experienced an insider attack in the last year. Take Tesla – earlier this year, the company suffered a data leak at the hands of a disgruntled employee, who made changes to company source code and exported gigabytes of proprietary data to unknown third parties.
Education as protection: Mitigating the insider threat
The insider threat can be difficult to catch because these are people who have legitimate access to the network. Plus, BYOD and the cloud have made the traditional network perimeter obsolete, meaning that it is more difficult for IT teams to track where company data is going and who is using it. To protect against these sorts of threats, it helps to have an understanding of what they look like. There are two key types of insider threats:
The malicious insider
This is typically a disgruntled employee who looks to steal or leak company data out of greed or even spite, as was the case in the Tesla data breach. The malicious insider is dangerous and hard to catch for a number of reasons:
- Insider privilege: They do not have to go through the process of trying to gain access to the company’s system. They are already inside. Depending on their job role and the organisation’s access control policies, the malicious insider might also have legitimate access to sensitive data, making it very easy for them to copy, move and exfiltrate it.
- Avoiding tripwires: Malicious insiders do not need to install malware or exploit a vulnerability to carry out their theft. This means that they are far less likely to trip any security alerts. With their knowledge and familiarity with the system, they can also work quickly and stealthily to steal data.
- Exfiltration methods: External actors are usually limited to exfiltrating data via a command and control tunnel. Insiders, on the other hand, have a host of options, such as downloading confidential information to a USB stick, uploading IP (intellectual property) to the cloud or sharing sensitive files via WhatsApp. With no data-centric security solution in place, malicious insiders could exfiltrate data through any of the above methods without the system administrator even being alerted.
The careless insider
Unlike the malicious insider, careless insiders do not intentionally steal or leak company data – they do so by accident. The careless insider is actually more of a pressing issue than the malicious insider because every employee has the capacity to make mistakes, and just one wrong click of a button is all that’s needed for severe consequences.
For example, one of the most common types of careless insider is the employee who clicks on a phishing link in an email. They receive an email that they think is legitimate when actually it’s an email from a hacker. When the careless employee clicks on the link in the email, malware is downloaded onto the device and permeates the company network. Earlier this year, Butlins announced that 34,000 guests at its resorts may have had their personal information stolen by hackers because of a phishing scam like this. Other instances of the careless insider include the employee who leaves a USB stick with sensitive data on public transport or the employee who visits an infected website.
Insider data leak causes trouble for major supermarket chain
What can be done?
With their knowledge of the network and access to company data, preventing a malicious insider from carrying out data theft can be difficult. However, data-centric security technologies can go a long way in reducing the likelihood of these attacks. These solutions prevent employees from copying, moving or deleting data unless they have given specific permission or approval to do so. These solutions can also redact sensitive data from being sent in an email and will alert the system administrator to any attempts to move sensitive data so that this can be investigated. User behaviour analytics (UEBA) solutions can also be helpful in identifying malicious insiders in action. For example, if an employee suddenly uses multiple USB devices and copies whole directories onto them, the UEBA solution would flag this to the system administrator as a cause for concern.
For careless insiders, the above solutions definitely play a role, but training is also needed. Security awareness campaigns can go a long way in making employees more conscious of cybersecurity as they go about their day to day work. While training will never be 100% effective in stopping careless insiders, it can dramatically reduce the number of mistakes they make.
Ultimately, organisations must make sure that they are aware of, and defending against, insider threats. While it is important to protect against external attackers, it is far more likely that organisations will face a breach due to a malicious or careless insider. By taking a data-centric focus to security, combined with training, organisations can dramatically reduce the risk of an insider threat exfiltrating their sensitive data.
>See also: Insider threat: most security incidents come from the extended enterprise
Written by Jan van Vliet, VP and GM EMEA at Digital Guardian