Enforce the zero-trust principle of least privilege. Companies need to actively monitor their organization’s network and control identity and access management at all times to mitigate any willful or unintentional harm. Least privilege access means that the company will grant users only the level of access needed to get the job done. By assigning exactly the permissions that each employee or third-party contractor needs, security teams limit access to the valuable data that malicious actors are seeking.
Reduce the number of privileged accounts. Privileged access accounts are the highest value targets for attackers, as they offer access to a company’s most valuable data. All too often, user permissions spiral out of control as companies grow, with too many users granted privileges beyond what their job requires. By limiting the number of super-user accounts to only those employees who really need it, the company can reduce the risk of a malicious actor getting their hands on the company’s valuable PII and customer data.
Manage the offboarding of all users. This includes employees who are terminated, leave willingly, or change roles or projects within the company. Many organizations use manual systems that are inefficient and result in abandoned or orphan accounts, allowing disgruntled users like the N.Y. credit union ex-employee to access and destroy sensitive corporate data. IT teams need to automatically terminate all of an employee’s credentials when they leave the company, especially, with today’s remote or hybrid work, a user’s remote access credentials.
Monitor user behavior. Use AI anomaly detection to continuously analyze behavior patterns and anomalies and make sure there’s no identity theft happening inside or outside of the network. Build user and systems usage profiles, and accurately detect changes in user behavior. This includes anomalies related to the number of sessions or their duration, or biometric analysis of mouse movements so the security teams knows that the session was taken over by an unauthorized user and can move to block it.
Train the staff. Companies that conduct ongoing and varied security training of their employees – starting at onboarding and continuing with regularly scheduled updates, stand the greatest chance of keeping negligent or accidental actors from causing unintentional harm. Studies show that as many as 20% of employees are susceptible to social engineering, especially phishing campaigns. The most effective security awareness programs use a wide range of simulated campaigns to help employees identify the most common forms of phishing attacks, as well as the most effective cyber hygiene to minimize security risks.
In the wake of a federal indictment, including the arrest of at least one former employee of TD Bank and Bank of America, the concern over potential “insider” risk at financial institutions is growing.
HC3, CISA, and the FDA released separate guides that tackle some of the largest challenges facing health care: communicating medical device risks to patients, evaluating insider vulnerabilities, and securing VPNs.