A Tesla car sits parked at a Tesla Supercharger on September 23, 2020 in Petaluma, Calif. Today’s columnist, Sascha Fahrbach of Fudo Security, says when it comes to insider threats, companies can’t depend on what happened at Tesla where an insider opted not take a $1 million bribe and ultimately worked with the FBI. Fahrbach lays out a five-point plan to prevent insider threats. (Photo by Justin Sullivan/Getty Images)

Most security teams focus on threats that come from the outside: Hackers, malware and nation-states. Organizations don’t always realize that much of their potential security risk stems from insiders.   

Just last month, acting in revenge after being fired, a former employee of a New York credit union pleaded guilty to accessing the financial institution's computer systems without authorization and destroying more than 21 gigabytes of data.

Some 20,000 documents were destroyed within 40 minutes. 

Last March, a disgruntled IT contractor was sentenced to two years in jail for hacking his ex-employer and deleting 1,200 Microsoft Office 365 accounts. Employees couldn’t access email, contact lists, meeting calendars, and documents, and customers and vendors were unable to reach the company for days.

Unfortunately, the more users, staff, and third-party contractors that gain access to sensitive company data, the more difficult it becomes to guarantee the security and integrity of valuable files and assets. 

In fact, the risk from insider threats has grown so great that just recently, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a new tool that helps organizations assess their vulnerability to insider threats and devise a plan to mitigate these risks.

Are all insider threats alike? Absolutely not.

Ex-employees are the most dangerous type of insider, as they actively look to extract PII, intellectual property, or damage the company by carrying out acts of revenge. These insiders are also often financially motivated. Remember when a Tesla employee was offered $1 million to install malware on the company’s network? Luckily for Tesla, the employee ended up contacting the FBI instead.

Negligent actors are individuals who are uneducated or unaware of potential security threats. They often bypass protocols or find workarounds to security policies to meet deadlines and complete their tasks faster. They are also highly vulnerable to social engineering. This category also includes third-party contractors or suppliers who are connected to an organization and could inadvertently cause a breach.

It goes without saying that people make mistakes. Accidental actors are employees or untrained contractors that make simple, honest mistakes such as turning off the wrong servers or leaving a backdoor open. Usually these actions are because of a lack of experience or training and offer helpful, if costly, insight into needed security policies or training programs.

Fortunately, there are many ways that enterprises can protect their data, company brand, and reputation.  Here are five ways to prevent insider threats:  

  • Enforce the zero-trust principle of least privilege. Companies need to actively monitor their organization’s network and control identity and access management at all times to mitigate any willful or unintentional harm. Least privilege access means that the company will grant users only the level of access needed to get the job done. By assigning exactly the permissions that each employee or third-party contractor needs, security teams limit access to the valuable data that malicious actors are seeking.  
  • Reduce the number of privileged accounts. Privileged access accounts are the highest value targets for attackers, as they offer access to a company’s most valuable data. All too often, user permissions spiral out of control as companies grow, with too many users granted privileges beyond what their job requires. By limiting the number of super-user accounts to only those employees who really need it, the company can reduce the risk of a malicious actor getting their hands on the company’s valuable PII and customer data.
  • Manage the offboarding of all users. This includes employees who are terminated, leave willingly, or change roles or projects within the company.  Many organizations use manual systems that are inefficient and result in abandoned or orphan accounts, allowing disgruntled users like the N.Y. credit union ex-employee to access and destroy sensitive corporate data. IT teams need to automatically terminate all of an employee’s credentials when they leave the company, especially, with today’s remote or hybrid work, a user’s remote access credentials.
  • Monitor user behavior. Use AI anomaly detection to continuously analyze behavior patterns and anomalies and make sure there’s no identity theft happening inside or outside of the network. Build user and systems usage profiles, and accurately detect changes in user behavior. This includes anomalies related to the number of sessions or their duration, or biometric analysis of mouse movements so the security teams knows that the session was taken over by an unauthorized user and can move to block it.
  • Train the staff. Companies that conduct ongoing and varied security training of their employees – starting at onboarding and continuing with regularly scheduled updates, stand the greatest chance of keeping negligent or accidental actors from causing unintentional harm. Studies show that as many as 20% of employees are susceptible to social engineering, especially phishing campaigns. The most effective security awareness programs use a wide range of simulated campaigns to help employees identify the most common forms of phishing attacks, as well as the most effective cyber hygiene to minimize security risks.  

Insider threats are a serious risk to any organization, especially with today’s remote and hybrid work environments. Experienced security teams understand that insiders can do much more serious harm than external hackers, as they have easier access to systems and a much greater window of opportunity. Start putting in place effective tools and practices to prevent insider attacks. No one wants to read in the next day’s headlines that they have become the latest company where an ex-employee deleted all of their customer accounts.   

Sascha Fahrbach, cybersecurity evangelist, Fudo Security