Threat Management

The inside scoop on insider threats

Cybercriminals continue to develop new attack methods that pose a serious risk to enterprise security, but they are not the only threats enterprises need to defend against. Employees - whether well-meaning but careless or those with malicious intentions, pose a great risk. In fact, insider threats are among the leading causes of data breaches.

Verizon’s 2019 Data Breach Investigation Report (DBIR) found that approximately 34% of breaches involved internal actors. Additionally, a recent survey conducted on IT professionals about insider threats revealed that 59% of respondents’ organizations experienced at least one insider attack over the last 12 months. Furthermore, the survey also revealed that only half of the organizations provide user training regarding insider threats. While protecting data from malicious external actors is typically top of mind for most organizations, the fact remains that they must also defend against negligent or disgruntled insiders.

Take a look in the mirror

As one in three breaches are caused by internal variables, greater focus must be put on securing data from insider threats. Below are a few examples of companies that have recently experienced data breaches due to insider threats. Let’s take a closer look at what occurred and what companies can do to avoid a similar fate.

  • Mitsubishi Electric disclosed that the company was hit by a breach dating back to June 2018. The intrusion was tracked to a compromised employee account, which allowed hackers to escalate their access from this initial entry point to Mitsubishi Electric's internal systems. Ultimately, the hackers gained access to the networks of around 14 company departments, such as sales and the head administrative office. The hackers were further able to swipe 200 MB of files that consisted mostly of business documents.
  • Nordstrom suffered a data breach in which a wide range of personal information – such as Social Security numbers, addresses, and financial account details – was exposed. In Nordstrom’s case, this breach was the result of a contracted employee mishandling data. Companies must take into account that data leaks can occur through not just employees, but contractors, partners, customers, or anyone who is granted access to sensitive data.
  • Quest Diagnostics said that a potential breach on its billings collection vendor exposed the financial and medical information of its patients. An unauthorized user accessed the American Medical Collection Agency (AMCA) system which contained information that AMCA received from Quest Diagnostics.
  • A successful email phishing campaign exposed Social Security numbers and personal health information for clients of the Oregon Department of Human Services (DHS). Nine employees opened a phishing email and clicked on a link that gave the sender access to their email accounts.

How organizations can avoid becoming a statistic

Companies need to ensure they do everything in their power to protect the organization from a potential intrusion or data leak. For many enterprises, user behavior in the cloud is not being monitored, the appropriate data protection tools are not being used, and personal devices are not properly secured. These all make it more challenging to detect, remediate and assess the damage done by insider threats. Organizations should follow the below best practices for preventing security issues caused by internal threats:

  • Training: As the survey revealed, there is a training gap regarding insider threats. Educating employees is crucial for all cybersecurity matters, but especially insider threats. Organizations should regularly train employees on good password hygiene and how to detect and avoid phishing emails. Employee training will look different across organizations depending on the company's business needs, how they operate, and who has access to sensitive data.
  • Identity and Access Management: Enterprises need a solution in place to authenticate employees’ identities, detect anomalous activity, and address additional mobile security threats. This can be done by implementing security controls that enforce multi-factor authentication (MFA) and user and entity behavior analytics (UEBA).Whether users are careless, malicious, or have unwittingly surrendered their credentials to a hacker through a phishing scheme, UEBA is a critical tool for protecting enterprise resources. UEBA baselines user behavior through machine learning and proactively detects suspicious or unusual departures from normal activity. The absolute minimum requirement for basic identity and access management in cloud and BYOD environments is Single Sign-On (SSO). SSO serves as a single entry point that securely authenticates users across all of an enterprise’s cloud applications.
  • Data Loss Prevention (DLP): While the public cloud offers many significant business benefits, especially in environments where employees work remotely, the move to the cloud is not without data leakage concerns, made worse by the ease with which data can be shared beyond your organization or downloaded to unmanaged devices. Data loss prevention (DLP) provides real-time data protection while safely moving information to the public cloud.
  • Selective Data Wipe: This allows administrators to wipe all corporate data off of a device without affecting the personal data stored therein.
  • Encryption of Data: Managing different encryption policies and different approaches to encryption become very difficult as organizations adopt cloud applications. Companies should always encrypt sensitive data – even when it is used for internal purposes – in order to ensure that information never leaves the control of the enterprise. Additionally, companies should employ a bring-your-own-key (BYOK) approach to maintain control of their own encryption keys.

While hacking and malware consistently rank among the most common causes of breaches, careless and malicious insiders should be a top concern for companies. As insider attacks are harder to identify and remediate than those that originate from outside the enterprise, it is imperative that organizations begin to defend against them more effectively by leveraging the above tools and procedures.

By Anurag Kahol, CTO, Bitglass

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.