Skip to main content

Mitigating the insider threat to your business

This year, we have seen a steady flow of high profile data breaches hitting the headlines. Whether the result of unknown web vulnerabilities, DDOS attacks or overall lax corporate data security policies, data breaches are becoming an everyday occurrence. In fact, it is generally agreed that no organisation is safe and that hackers will get in – but they can be stopped before they cause damage to a business.

Traditionally, organisations have concentrated their breach mitigation efforts on catching and preventing external threats; however, many of today’s data breaches highlight the growing threat posed by insiders. Take the recent Ofcom breach for example, where a former employee stole a large amount of sensitive information about various TV companies and offered it to his new employer – a competitor of his previous company. Unfortunately, as this case shows, when sensitive information is readily available to employees, there is the possibility for anyone to abuse their trusted position.

Beware the unwitting insider threat

Another problem is that many organisations believe that the insider threat only refers to employees acting consciously and maliciously, but this isn’t always the case. There are also those who become unwitting helpers of an outside threat, thus the spectrum of the insider threat is usually much wider than many organisations are aware of. In fact, the accidental insider threat can often pose a much bigger problem for organisations, mainly because there are so many of them.

It only takes one unsuspecting click or a casual download for an employee to expose the entire company’s financial records. The Target breach in 2013, where cybercriminals stole the card details of 40 million customers and the personal data of 70 million, was widely publicised, however what many don’t know is that the hackers gained access to the retailer’s network by stealing and using an insider’s credentials.

Ultimately, malicious or not, the end result is the same and with the European General Data Protection Regulation (GDPR) pending, which will include tougher penalties for businesses that fall victim to a breach, it’s imperative that organisations are able to identify and stop both external and internal threats before any damage is done.

Insider threats can be stopped

For too long, organisations have invested in perimeter based defences alone – firewalls, antivirus, etc.– on the basis they can keep criminals out of their networks. This leads to a false sense of security, and has proven time and time again to be a failed strategy. Even if this approach worked, it does not deal with the insider threat whereby the person is already on the inside. In fact, it is akin to protecting castles with moats in an era of airplanes, and organisations need to move more of their cybersecurity investments to monitoring and response.

Only by constantly and proactively monitoring the network will organisations be able to gain full insight into everything that is happening. This allows any questionable or unusual activity to be identified straightaway. Indeed, the sign of a breach could be something as small as regularly renaming files, downloading more documents than normal, or access to an authorised file at an unusual time of the day, and organisations cannot always rely on the security team to spot actions that look normal to the human eye.

Detect fast, respond fast

Rapid detection is required to identify unusual activity before it leads to a damaging data breach. Once the anomalous activity has been detected, organisations need to quickly and automatically respond in order to mitigate the threat and any risk to major information assets. IT teams need to stop thinking about users according to what they look like and start looking at what they do, through the deployment of user behavioural analytics tools. Using these advanced techniques, changes in the user's behaviour can be detected regardless if it's the actual user doing something bad or it's a criminal impersonating the actual user, having compromised or stolen their credentials.

While there is no denying that perimeter security tools still have their merits, they cannot protect against today’s sophisticated or unsuspecting attacks alone – in particular with regards to the insider threat. Without the ability to know exactly what is happening on the network and understand what ‘normal’ activity looks like, employees could potentially remove data from the organisation and remain undetected for some time.

Train your staff

Employee training is also becoming more important than ever. Businesses need to make staff aware of the threats and risks to sensitive information, to ensure that it is handled and processed in the correct manner. To avoid becoming another Target, training must also cover advanced phishing and social engineering so that employees can become more aware of the threats facing them. If a workforce is not educated in identifying potential phishing scams or adopting proper secure password etiquette, then it makes a hacker’s job a lot easier. As an extra layer of security, businesses need to make sure they have stringent encryption and access control rules in place that prohibit employees from viewing unauthorised data.

All things considered, speed is of the essence when combating today’s hackers. Regardless of how good your firewalls and training programmes are, without deep visibility, information sharing and advanced security intelligence, companies won’t be able to stop threats as soon as they happen. With the EU GDPR promising to increase transparency, it’s now more crucial than ever for organisations to put tools in place that will reduce the time it takes to identify and respond to threats – both external and internal.

Ross Brewer, VP and MD EMEA, LogRhythm

Image Credit: Shutterstock/Andrea Danti

Ross Brewer
Ross Brewer has more than 20 years in the information security sector. At LogRhythm he leads the EMEA team where he helps deliver consistent, rapid growth in the region.