A recent study found federal agencies are setting up more formal insider threat prevention programs at a much higher rate than two years ago, 86 percent of respondents said they had set up programs compared to 55 percent two years ago, but aren't making much progress in actually deterring threats.
Despite more efforts to combat the threat, agencies are still being falling victim to attacks with 42 percent being targeted by cyber incidents perpetrated by insiders (either malicious or unintentional) compared to 45 percent in 2015, according to MeriTalk's Inside Job: The Sequel report.
Many of the respondents reported that threats are becoming more challenging than ever due to the increasing number of cloud based systems making threats harder to detect, endpoint multiplication, and remote workforces.
Risks are also increased when not all insider threat programs are created equal, with many of them lacking formal threat detection protocols, formal threat response protocols, and systems for reporting and maintaining records on potential or actual insider threat incidents.
Uneven efforts and “cloud confusion” are making it harder to secure platforms and researchers found agencies that have lost data to insider incidents are much less likely to have basic security measures such as incident response systems, continuous monitoring, and data loss prevention.
More cloud-based systems have also made it harder to detect threats with 67 percent of respondents saying the adoption of cloud-based systems increases the risk for mass data loss due to human error.
Fifty-three percent said the increase in cloud usage adds increased complexity /more systems to manage, 48 percent said it makes it difficult to monitor all endpoints, 41 percent said a lack of preventative measures makes it more difficult, and another 41 percent said it makes it difficult to implement and enforce identity and access management policies.
“The majority of respondents said that the increasing number of cloud-based systems has made insider threats more difficult to detect,” Chris Townsend, vice president, Federal, Symantec told SC Media. “Federal agencies are working hard to address the insider threat challenge, but even as they do so, the problem is getting more complex as boundaries dissolve and more and more systems and information move to the cloud.”
To combat these challenges, federal IT programs should prepare for cloud complications.
Federal agencies can minimize data loss when faced with insider threats by limiting access points, adopting multi-factor authentication, adopting and expanding real-time activity monitoring, and classifying data and implement data loss prevention capabilities.
Unfortunately, some of these are easier said than done particularly when dealing with securing multiple access points.
Townsend said it's not easy with agencies having more and more devices accessing the network from many locations, and he said that as environments become more complex, real-time activity monitoring becomes more difficult as well.
He said that many agencies are investing heavily in shoring up their perimeter and trying to build an impenetrable wall, but then neglect to enforce basic encryption policy around personnel records or use data loss prevention (DLP) technology that would restrict someone from reading content if they were able to access it without authorization.
“Even with the best perimeter and endpoint security, there is the possibility that someone will find a way in, or that they're already in,” Townsend said. “If we can't control our walls, we need to look at how we put appropriate protection around the content behind those walls.”
This involves implementing data loss prevention (DLP) technology, ensuring greater accountability for vetting/issuing identity credentials, using multi-factor authentication, and enforcing encryption policy – regardless of where content lives, on premise or in the cloud, he said
He added that some agencies haven't implemented these solutions across their environment because they are more focused on perimeter security while others may have implemented the solutions, but don't have them configured or updated appropriately.
“Employee education is a big piece of the puzzle,” Townsend said. “Many insider threats are the result of well-meaning employees making an innocent mistake – by falling victim to a phishing scheme, using unapproved cloud apps to work more productively, or unwittingly sharing information that they shouldn't.”
One of the reasons federal agencies are falling behind in these key areas is because most agencies prioritize securing their “trusted environment” from outside threats while failing to consider that a malicious inside actor is almost always more damaging.
IT departments also need to take into consideration the uptick in phishing attacks and educate their employees about how to prevent them because these also present insider threats that are often overlooked.
“We encourage organizations to do a full assessment of their security environment and processes against a proven framework like the NIST Cybersecurity Framework (CSF) to evaluate their risk and identify any gaps,” Townsend said. “They should start with what they have – using existing tools to the greatest extent possible – and then make investments only where necessary.”