Today’s columnist, Lucia Milică of Proofpoint, says as companies shifted to work-from-home during the pandemic, security pros had to focus more on insider threats, sometimes caused by harried parents juggling work and family responsibilities. Tobyotter CreativeCommons Credit: CC BY 2.0

The pandemic has challenged CISOs worldwide to adapt their security strategies—often years early—to create a safe work-from-home environment. But this shift has caused a growing risk: the insider threat.

We often think of insider threats as malicious employees bent on doing harm. While that’s often the case, more than 60 percent are simply those of negligent employees. Their intentions are typically not bad, but employee mistakes can do profound damage to their employers.

A 2020 Ponemon Institute study found that the average cost of insider threats rose 31 percent in just two years to $11.45 million. The frequency of incidents spiked 47 percent during the same time. The average time to contain an incident runs at 77 days, with incidents that took over 90 days to contain costing an average of $13.71 million-per-year to mitigate. The longer the time, the higher the risk. And most organizations are ill-prepared for this, as their security measures are commonly outward-facing.

Identify negligent, compromised, and malicious insiders

To identify negligent behavior, security teams should look for indicators of poor data hygiene like storing passwords in text files, databases exposed to the external internet, questionable Wi-Fi connections, unsanctioned application use, and sidestepping security restrictions. Negligent employees are also often unaware or lax about security processes and decide to cut corners just to get their jobs done faster.

Compromised users behave differently. Since they are often not the most tech-savvy or highly-authorized employees, they can get compromised by an external attacker with greater sophistication or authorization. Once an intruder infiltrates the network through a compromised employee, they will usually hide important data and then cover their tracks. So, look for suspicious activity such as discovering valuable assets, accessing those target assets, and data exfiltration preparation.

When faced with deliberately malicious users, it’s vital that security teams construct a timeline of technical activity that includes preparation for data exfiltration and intentional cover-ups. These offenders will often display harmful offline motivations, such as revenge or anger aimed at causing harm.

CISOs need to promptly identify risky behavior and determine whether that threat warrants additional research. Security teams drowning in overbroad alerts will not have time to identify and focus on the most important indicators.

Use a people-centric strategy to circumvent insider risk

Stopping insider incidents requires a comprehensive strategy strongly focused on governance, risk, and compliance (GRC) followed by people, processes, and technology. Use a GRC strategy to establish an initial operating capacity, define the organization’s leadership and resources, establish governance policies informed by legal counsel, create a roadmap, and determine a user-activity monitoring approach. Follow this roadmap:

People: Because most successful attacks require human involvement, make the company’s employees the heart of the strategy. Companies need visibility into user and file activity at all levels. It’s vital to understand the “how” and “why” of a user’s behavior to determine intent and threats.

Conduct a risk assessment to identify the company’s most important assets and data, determine who can access them, and audit the controls in place. Limit who accesses sensitive information and for how long. Extend the assessment beyond employees to include contractors, third-parties, and supply chain partners. Insider risk management requires the ability to identify potential insider activity across different departments, applications, and systems.

Increasing security awareness can by itself help to curtail insider threats. Offer frequent, customized security training programs not only to the employee users, but contractors and third-parties who have access to the company’s sensitive data and critical systems.

Process: Establish an insider threat management (ITM) investigation process that will complement the company’s watchlists. While initial processes might evolve, the company needs a solid foundation to shape additional functionality and ensure consistency.

Technology: Work smarter, not harder. The company’s technology should enhance its GRC goals and objectives. Be sure the team can differentiate between malicious acts, negligent behavior, and compromised accounts. User intelligence will also offer context and streamline responses based on the incident.

Keep in mind that protecting against insider risk requires a team effort. Work with the leading stakeholders from other departments to identify potential insiders, including human resources, IT, facilities/operations, and legal. Ultimately, data doesn’t just get up and walk away – it requires a malicious, negligent, or compromised user to commit harm.

Lucia Milică, Global Resident CISO, Proofpoint, Inc.