Don’t discount overwhelming insider security threats

Organizations around the world are constantly reminded of the consequences associated with data breaches – most recently with credit agency Equifax’s data breach affecting 143 million U.S. consumers. 

Sensitive data that ends up in the wrong hands can be sold on the black market and eventually lead to identify theft and potential business losses from fines, loss of customers or lawsuits. While the majority of enterprise security strategies focus on external actors, insider security threats may easily account for more than half of all data breaches. 

According to Verizon Enterprise’s 2017 Data Breach Investigation Report, 75 percent of breaches are from external actors verses 25 percent internally. However, according to a recent Clearswift Insider Threat Index (CITI) report, 74 percent of security breaches originate from within the extended global enterprise. These two findings, while at first seemingly contradictory, actually net out as follows: 

  • 25 percent of all security breaches are solely due to insider actors 
  • an additional 25 percent are due solely to external actors 
  • the remaining 50 percent are the result of external actors exploiting insiders to the organization 

Insider threats take place when a current or former employee, contractor or business partner with access to an organization’s trusted data, either unknowingly or intentionally, participates in activities that negatively compromise security. Although a fair number of internal data security breaches are committed by malicious insiders, a vast majority of insider threats are unintentional and are caused by individuals who inadvertently expose privileged information.   

There may even exist more shades of grey to the picture. Recent breach causes include examples like hospital staff involved in social media bullying and inadvertently exposing large numbers of patient records in the process. Similar examples exist, no doubt, in virtually every industry where an unauthorized action, albeit not intentionally malicious, results in a large-scale data breach. 

Unintentional insider threats are often the result of lacking policy or enforcement with regards to data handling. Organizations should invest in defining effective policies. Enforcement should be swift and meaningful. Other areas of focus should be assuring that access to data systems is restricted and clear policies are in place regarding removable storage devices, non-authorized applications on laptops or personal devices and access to social media from corporate resources.   

Currently a favorite of external cybercriminals, spear phishing emails pose a persistent threat. From ransomware attacks like NotPetya which encrypt data on user laptops to advanced persistent threats (APTs) and malware like Defray which focus on corporate data assets, spear phishing emails are the best bet for cracking your defenses. The best defenses for these attacks? Backup user and corporate data regularly to multiple locations (backup your backups). Put extra resources on maintaining up to date patches on all systems. And train users to identify the tell-tale signs of a spear phishing email. 

Insider threats are not just limited to contractors and employees, however. Today’s businesses often develop close relationships with third party vendors and partners that require privileged access to internal systems. Unfortunately, cybercriminals often leverage this access to penetrate your defenses and thus your business partners can also be the source of insider threats. Although 75 percent of all breaches originate from external actors, it’s your organizations insiders who are inadvertently handing criminals the keys to the network 50 percent of the time. Weak passwords and malicious email are the major vectors of external attacks, but only if your users bite. In these cases, the users are the threat. 

Typically, enterprise security focuses on safeguards to prevent hackers from penetrating the network and gaining access to data. The statistics, however, is telling us that a disproportionate share of the risk exists within an organization’s perimeter defenses. This should give all security teams pause to reflect on their defense strategy. Clearly as much, if not more resource, needs to be applied to mitigating insider threats as is spent on external threats. 

A further risk to today’s enterprise stems from the very nature of our information based economy. Today’s enterprise, almost invariably, must share sensitive data with external partners in the course of business operations. And yet, these very processes expose the organization to significant risk in two

First, moving sensitive data beyond the firewall exposes it to the potential risk of data interception and theft. While the vast majority of data transfers are encrypted, recent statistics show millions of anonymous FTP servers which transmit unencrypted data. The second threat comes from the typical kill-chain of a modern attack. If a persistent criminal wants your corporate data, they employ a multi-step process over months to get it. Step one is penetrating your defenses with a spear phishing or similar attack. The objective in this case is to plant malware on a system with access to your network. From there, they look for a command and control platform. It turns out that file transfer systems are at the top of the shopping list. They use communications protocols that are not suspect (FTP, HTTPS, etc.) and are often easily accessed by internal users and typically not well managed. 

A secure and reliable managed file transfer (MFT) solution can prove to be an invaluable investment for ensuring files are delivered to authorized recipients on time while enabling IT to track and manage all file transfer activity. When selecting tools to enable external data sharing, consideration should be given to capabilities such as account access, alerts and reports, integration with anti-virus and other security mechanisms. 

One way to ensure consistent and easy-to-manage control over which users have access to a given system is to integrate account access privileges with the active directory (AD) database. This enables the IT team to be able to control and monitor which employees have access to systems that house sensitive information. It also enables IT to be able to quickly disable or limit access to user accounts in the event of suspicious behavior or if an employee leaves the company. 

It’s also important for a MFT system to be able to log all file transfer activity and trigger alerts that forewarns IT of malicious user behavior. Control and visibility into account access and file transfer events minimizes the potential damage that could occur in an insider threat attack. Tamper evident audit logs ensure that even if an attack does take place, a trail of what happened is recorded and can be traced back to the offending individual(s).  

Since file transfer systems are highly prized targets for cybercriminals, all the data that flows through them is also at risk. IT teams should ensure they have a file transfer solution and workflows in place that ensure data encryption both at-rest and in-transit. 

Multi-factor authentication (MFA) is another great layer of security that can help ensure only authorized individuals gain access to sensitive information. MFA is a multi-step verification process that ensures that the user is who he/she claims to be by requiring that they provide additional proof of who they are, most often in the form of an additional security code required to logging to an account. The security code is delivered to an alternate source (phone, email, etc.) that is linked directly to the individual thus mitigating the risk of unauthorized access. 

Data breaches are at the forefront of most IT teams’ strategies, but security professionals should be certain not to neglect the overwhelmingly alarming danger of insider threats. 

Kevin Conklin, Vice President of Product Marketing at Ipswitch 

Image Credit: Andrea Danti / Shutterstock