It may or may not come as a surprise that security breaches can happen rather simply. Take an organization with a seemingly secure perimeter, add a blind spot to what insiders are doing and you’ve got the perfect recipe for a porous infrastructure poised for information leaks. In today’s business climate, suffering a data breach does not only expose your organization’s confidential information, but it can cost your business millions of dollars. According to a study by the Ponemon Institute, the mean annual cost of an insider attack is more than $4.2 million.
In fact, some of this year’s biggest data breaches such as the CIA Vault7, UK Labour Election Platform and Microsoft Docs.com leaks were a direct result of actions by an insider.
So what are your employees up to? If insiders pose the greatest threat to an enterprise’s security, where does one start?
To start, take a look at what your employees are actually doing on your networks. Recently, Dtex Systems’ 2017 Insider Threat Intelligence Report found key trends in malicious and negligent behaviors performed by employees, contractors and partners that use corporate systems.
For this study, Dtex looked at two of the more prevalent types of insiders: malicious and negligent. Malicious insiders are employees using their corporate devices for illegal activity or are trying to sabotage corporate systems while negligent insiders are employees who may accidentally harm corporate networks or expose sensitive data as a result of carelessness or ignorance.
The following are several signs that your employees, malicious or negligent, might be engaging in risky behavior, all of which could pose a security threat to your organization.
Covering One’s Tracks
The number one sign of employees engaging in risky behavior is obfuscation or “covering of tracks.” This is a huge indicator of an individual’s propensity to perform something malicious (if they haven’t already) and it is clear that the activities they are performing are likely not acceptable by the employer.
The rise of BYOD and cloud applications has made it simple for employees to discreetly move IP out of an organization’s secure network and conceal their internet activities. The report found that security bypass is the first step towards data theft or destructive behavior. This includes the use of vulnerability testing or hacking tools (like Metasploit), anonymous browsers (like TOR), or anonymous VPN tools. In fact, one of the most popular “free” VPN services actually sells user's bandwidth and IP address to the highest bidder – potentially to be used for malicious cyber crime.
Your employees are smarter than you think and turn to several other methods to cover their tracks like concealing data by moving or renaming confidential files or file types to innocuous names, types and directories. Or, using portable applications (i.e. portable FireFox), which can be run from removable devices and do not need to be installed onto the corporate network. Or, they can simply conceal all activities by using a local virtual environment or shared user accounts (included switching between personal and non-attributable accounts). Most of the time, these malicious employees only stop once they’re caught.
While it’s an oversimplification to immediately link personal email usage to malicious intent, it is impossible to ignore the fact that personal email accounts on webmail sites like Gmail, Yahoo and Hotmail can absolutely be used as an avenue for data theft. Simple sent emails, like attachments, or calendar entries are among the most obvious ways that an email account can be used to exfiltrate data. But, the security community has seen much trickier methods, too. For example, users can use drafts to save and transfer information without leaving a network trail, like in the 2014 hacks using Gmail drafts to update malware and steal data. Personal webmail can also be used to cover tracks and hide activity. Webmail is frequently used as a medium for collusion between malicious actors. Many employees will log into the same webmail account to do things like share pirated media and applications, or worse, sensitive information.
Leavers: Employees On Their Way Out
Employees are the riskiest two weeks before they leave a company, with abnormal file aggregation frequently detected in that timeframe. Intermedia’s 2015 Insider Risk Report found that 23 percent of employees admitted they would take data from their company. Dtex found that more than half of organizations experience data theft when employees leave, like product managers who steal proprietary plans, engineers who sneak out valuable code, or salespeople who poach critical client lists.
Joiners: Employees On Their Way In
While leaving employees are a pervasive security risk, it’s also important not to forget about joiners – new hires joining your organization. Oftentimes, no one gives new hires a second glance. However, it is surprisingly common that new hires bring stolen data into a new organization. This is equally as troubling for a few reasons. It’s morally questionable to keep and use stolen data, but it is also legally dangerous. What’s more, there’s another obvious threat: this employee most likely won’t be working for your enterprise forever. If you find out they’ve brought stolen data into your network, they probably are going to take your data when they leave, too.
Inappropriate Internet Usage & Pirated Software and Media
While the rise of the Internet has helped workers get things done faster, better and more easily - it is also a massive distraction. Some employees will innocently browse the web like going on social media sites, shopping online, etc, but there are risk assessments that have identified a significant amount of inappropriate workplace activity, like watching pornography, gambling and downloading resources illegally. These behaviors are easy for organizations to get under control, but are often overlooked and not considered as a security problem. Accessing such websites is an indicator of employee negligence since most employees need to circumvent security measures to access these websites. This means they are weakening your overall security posture and you have no way of knowing when they do it.
Pirated software is a security threat in two major ways. Firstly, it is a legal vulnerability. Having pirated software in your enterprise opens you up to potential legal action in a variety of ways. The Business Software Alliance is a driving force behind thousands of investigations into these cases each year. Ultimately, the government can pursue a copyright infringement case against you. In the U.S., that can translate to fines up to $250,000, five years in jail, or both. Beyond that, there’s another big danger involved: malware. Pirated software downloaded from the internet is frequently packaged with malware or is malware in disguise.
As we’re seeing in recent news cycles, data breaches are becoming a norm around the world. The insider is the greatest threat any organization faces, regardless of geography, organization or political standing, but organizations have the ability to be the first line of defense. The top priority for any organization must be to protect vulnerable insiders and address the risky behaviors at the source. Until organizations strengthen their security programs and protocols with technologies that give them visibility into what their users are doing on their endpoints, the insider threat will continue to be a problem.
Rajan Koo, SVP Engineering, Dtex Systems
Image Credit: SFIO CRACHO / Shutterstock