When we think of a cyberthreat, we often imagine a nation state hacking group, or a virus trying to work its way into our company network. After all the media is full of depictions of incidents of this very nature – how many times has North Korea or Russia been blamed for hacking the West?
The funny thing is, the cyberthreat that we should be worrying about actually resides in a place that’s a lot closer home, often found within the company building. What I’m talking about is the insider threat. And it’s about time we paid closer attention to it.
The insider threat is often dramatically underestimated. For example, last month, the Swedish government faced international backlash after it was found that third party employees – with no security clearance – had access to the sensitive data of Swedish citizens. In this case – as we saw with the recent Verizon and Dow Jones data incidents – the culprit of the breach was not an unknown, malicious outsider but came down to insider carelessness and negligence.
The incident in Sweden occurred because the government bypassed essential security checks in order to speed up the contract process with third parties. By failing to think about how its employees interact with sensitive data, Sweden put the personal identifiable information of millions of its citizens at risk, and catapulted itself into the headlines for all the wrong reasons.
The failings of a perimeter focused approach
Historically, businesses have been focused on building up their perimeter defences to protect against external threats – and overlooking the threats that are already inside their walls. This is epitomised in a recent survey* at the BSides London security event, where it was found that 92% of security professionals believe that the industry, as a whole, is far more concerned with defending against outsider threats than internal ones.
This is particularly interesting when we consider that, in the same survey, 71% of professionals felt that businesses should be more concerned about the insider threat than they currently are. These findings indicate that businesses are focusing their efforts in the wrong places. With the proliferation of the cloud, BYOD and remote working, the old-style perimeter defence is no longer enough.
Insiders – be it the careless or malicious kind – are a pressing threat to enterprise data security. Internal employees, contractors and other third parties often have legitimate access to sensitive data to be able to work effectively and flexibly. This creates a challenge for security teams, as it is much harder to catch or validate a malicious threat when the actor in question already has valid access to company data.
The BSides survey also found that almost half of security professionals feel that insider threats and uneducated users are actually the most overlooked security threat in enterprises today, rather than the headline-busting North Korea or Russia. This is because, in today’s digitalised environment, a simple mistake can cause drastic consequences. Take the recent Dow Jones data leak, which exemplifies the consequences of human error. The leak occurred when an employee – who was migrating sensitive customer data to a new cloud repository – left the repository configured to offer “semi-public access”, meaning that any AWS user could access the data.
If the insider threat was seen as a real risk, surely senior management would put in place more precautionary measures to prevent leaks of this scale and kind. But this doesn’t appear to be a board-level priority at present. Indeed, in the survey, 91% of security professionals said that they felt that senior management in their business make poor decisions when it comes to security strategy and spending.
Securing The Insider Threat
Luckily, putting measures in place to reduce the insider threat doesn’t have to be a momentous task or investment. By having the right policies and technologies in place, the risk of internal data leakage or theft can be dramatically reduced.
Firstly, organisations must ensure that they have a strong education and awareness programme in place. Education is one of the most efficient defences against the insider threat. This is because most accidental data breaches occur due to actions by an oblivious or careless employee. With regular training on data security in place, employees are taught to be mindful when handling sensitive corporate data, and to think before they act. Regular refreshers are key to making this training effective – and employees should be updated on any new data policies or technologies before they are implemented.
However, sometimes employees know what they are doing. Bupa, for example, recently suffered a data breach after an employee purposefully and inappropriately copied and removed some customer information from the company. Be it for revenge or financial gain, the malicious insider is a worrying and real threat. When it comes to this malicious insider threat – whereby an employee intends to steal or misuse corporate information – there are certain technologies that can be put in place to hinder the insider from successful theft.
These technologies need to be data-centric, by which they give security teams visibility into how/when/what corporate data is being access and by whom, so that the security team can quickly see unusual activity that might suggest that data is at risk. The same technology should then be able to prevent a rogue or unauthorised employee from copying, transferring or deleting sensitive data without approval. A data-centric approach can also stop unintentional insiders from moving or sending the wrong data by accident. Ultimately, these technologies can be a great asset in preventing internal data theft or loss.
Whilst security teams have wisened up to the growing legitimacy of the insider threat, boardroom decision makers continue to focus most of their efforts on perimeter protection. As a string of recent examples demonstrate (Bupa, Verizon, Dow Jones) the insider threat comes in a number of different forms and is tricky to defend against. However, with the right policies and technologies in place, enterprises can ensure that their data never gets into the wrong hands.
*The survey sponsored by Digital Guardian collected responses from 187 full-time security industry professionals attending the BSides London event on 7th June 2017.
Thomas Fischer, Global Security Advocate and Threat Researcher, Digital Guardian
Image Credit: Andrea Danti / Shutterstock