No one sees it coming. While all eyes and resources look outward to thwart a data breach by unknown hackers on the other side of the world, sometimes the culprit is only feet away and is, in fact, known.
Indeed, a trusted colleague or vetted third-party who has access to important documents and files shouldn’t be overlooked in your organization’s data security plans. Not that every employee harbors ill intentions, but all it takes is for one of them to accidentally release data to unauthorized users or mistakenly share a file that should be private.
Yet, monitoring insider threat isn’t as easy as the vigilance that’s undertaken to prevent outside attacks. Three out of four information security professionals believe it’s hard to distinguish legitimate computer use from abuse because abnormal, harmful activity is usually hidden in the large volume of ordinary, harmless activity. It’s difficult to detect when an employee is performing a regular task with legitimate access or is acting out of turn, either negligently or maliciously.
AT&T learned that lesson recently when it paid a $25 million civil penalty – the largest related to data theft in FCC history – after employees at overseas call centers sold hundreds of thousands of customer records. Morgan Stanley won’t face an FCC penalty for a breach of wealth management data of 350,000 clients but it nonetheless faced unwanted publicity after a broker transferred the sensitive data from a financial application to personal devices and the information landed online for all to see.
These and many other high-profile insider threat breaches only buttress a Verizon study that found 69 percent of information security incidents are attributed to inside threat. Whether it’s through malicious behavior or carelessness, the insider threat is real – but somehow companies still don’t seem to understand they’re at risk. Seventy percent of audits and investments show businesses have deficiencies in monitoring insider threats, and 75 percent of all insider threats go unnoticed, according to a 2015 SANS survey.
This whitepaper will shed light on how inside threats unfold, review which insiders are prone to commit them and which applications and programs they’ll use, explain what kind of data is vulnerable, and lay out how you can best monitor and prevent internal threats. We hope to enlighten not just IT departments but also CIOs, HR leaders, financial heads – just about anyone who oversees the employees, privileged users and third parties who have permission to access your data.
The Insider Threat Landscape:
Abuse or Legitimate Use?
It’s important to closely consider the thinking of malicious insiders and accidental insiders. Malicious insiders make a conscious decision to steal information, a knowing effort to harm their employers. Accidental insiders have no idea that their security practices cause damage, and their decisions could be innocent or simply negligent. They can also be targeted by malicious hackers and tricked into sharing a file or system access.
Even though malicious insiders are always a threat, negligent ones are the larger concern. A SANS survey of nearly 800 organizations across a wide scope of industries revealed that the majority of respondents worry far more about negligent insiders.
There Are Culprits Aplenty
Insider threat can be separated into three categories. Being able to make distinctions of their computer activities can determine how to best monitor their activities.
Employees: First, there are employees. They are the largest group, and have access to many, but not all, applications, files and programs. They can view information they’re not supposed to, make errors that open the door to data thieves, or use unauthorized cloud applications that are infamous for data exposure.
You have to worry about employees mistakenly extracting data and having it fall into the hands of those who would profit. You also have to be on alert for employees who commit inside fraud, purposely manipulating data for their own gain or stealing customers’ personal and financial information for profit. Low-level employees who work customer support or call centers are usually the ones who perpetrate inside fraud.
Third-party users: Remote vendors, contractors and outsourced IT workers are also a cause for insider threat. They can quite easily inflict harm late at night or on weekends, when a privileged administrator wouldn’t notice. They can also make unauthorized changes to files and programs. And third-party users are just as likely as in-house employees to make mistakes and be careless handling data or using unapproved applications.
Privileged Users: Lastly, don’t forget to be mindful of privileged users. They maintain user accounts, perform updates and maintenance and make sure all digital trains run on time, but they also have the highest level of access and can thus cause significant damage with malicious or negligent actions.
Privileged users have access to your network, file systems and source code. They have the keys to your financial records, confidential information and intellectual property and can easily abuse their privileges. More importantly, they can make unauthorized changes to monitoring programs and cover the tracks of their misdeeds.
Not that privileged users should be overlooked in any kind of internal monitoring, but employees and third-party users outnumber them by 20 to 1. You need to have unique insight into everyone’s computer work habits – no matter how many haystacks you have to monitor – while also balancing priorities. Employees and third-party users will have the most activity to monitor but privileged users have greater access and greater ability to cause harm.
5 Key Considerations for Understanding Insider Threats
Surely, there is a lot to keep in mind when protecting your business from insider threats. Between trying to understand what to look for and who to watch, staying on top of inside threats requires a smart approach to knowing how they happen. To help on that end, here are five key considerations for further understanding insider threats:
Consideration #1: Every Business Function is a Potential Source of Risk
It’s easy to assume that only vital financial and legal documents are at risk from inside threats. Actually, everything is at risk. Every business function can be manipulated from the inside. You may think vital data is safeguarded, but a breach from an area that’s not protected can serve as a gateway to what you’re protecting.
JPMorgan Chase probably could have prevented a data breach last year if it had only installed a simple dual password security fix to an overlooked server. Hackers were thus able to steal a login from an employee, leading to the compromise of information for 83 million businesses and individual customers.
Customer support, perhaps surprisingly, is the area of biggest risk, according to a Ponemon Institute
survey. Out of the many business functions – including finance, legal, sales force operations – respondents believed customer support was their greatest area of concern.
Think about it: For customer support employees to successfully assist customers, they need access to a lot of company data, some of it sensitive. With a treasure trove of data at their fingertips, it probably shouldn’t be a surprise that low-level employees, particularly those working in customer support, often are behind the theft of data.
Many companies outsource customer service, but they may not be fully apprised of how those employees are vetted and whether or not they can be trusted. Information may also be at risk during data transfers to a third-party customer support agency, increasing the chance that hackers could get their hands on your data.
It’s also worth considering that some insiders could care less about financial gain. Rather, they’re motivated to seek revenge against employers, or they simply want to disrupt or destroy company systems. Others want to steal or destroy data to gain a competitive advantage or harm a company’s reputation. As a result, they’re satisfied with accessing files and programs that aren’t monitored as regularly or carefully as ones that are deemed vital.
The Application Threat
Consideration #2: Applications Improve Work but Also Pose Risk
Cloud applications have greatly strengthened a business’ abilities to do work. Employees can share files amongst themselves and clients, communicate almost effortlessly, and perform a slew of tasks that previously were limited to costly, on-site programs. With cloud apps, your business can work from anywhere, at any time, and with anyone.
But cloud apps also present an enormous security gap that on premise programs didn’t have: They can’t easily be monitored for insider threats.
Today, tracking activities on the many apps that employees use daily is far more difficult and resource intensive. Significant staff time is needed to correlate and review access and usage logs, but that’s only if those records are even available. Apps track user actions differently, and some applications don’t produce logs at all.
Companies are understandably worried about this lack of oversight. A recent Ponemon Institute survey found that 71 percent of more than 600 IT and security practitioners saw deficiencies in their monitoring of application usage, but only eight percent of them had turned to commercial auditing and monitoring solutions to keep track of employees.
The Ponemon Institute survey also uncovered the applications that were the top sources of risk for insider threat:
- Ecommerce: While an ecommerce app undoubtedly makes transactions with customers easier, it’s not only a target for outside attacks but perhaps more so for employees and privileged users who have almost unfettered access to account information. An ecommerce app is a direct pipeline to customers’ personal identifiable information (PII) and financial account details.
- Financial: Some finance apps centralize business actions, allowing many of your employees to have access to data they probably shouldn’t. Most employees typically need only small chunks of data to do their jobs rather than having authorized access to view large amounts. These apps also open the door to administrative misdeeds, as accounts can be modified or deleted. Not to mention, an administrator can create a new account and use it to steal information.
- CRM: Many businesses favor using CRM solutions to centralize massive amounts of customer information. A CRM app makes serving customers easier than having employees rely on various siloed systems. But centralization means the data is accessible to all levels of employees and third parties and prone to risk. The Ponemon Institute survey indicated that a sizeable share of IT professionals worry about a CRM system’s lack of proper access and governance.
Those are just three types of apps that call for monitoring inside threats. Your business undoubtedly relies on many others that increase productivity but also have weak spots. It’s wise to also monitor applications geared for workforce productivity and management, enterprise resource management, the call center, customer relationship management and human resources.
It’s Not the Breach; it’s the Time to Discovery
While a breach can damage a company’s reputation and bottom line, the time it takes to discover a breach can be just as harmful.
Time matters with data breaches. The time it takes to discover a breach could be the difference between a minor incident and a major theft. As long as malicious insiders can stay hidden, they have the opportunity to carry out long-range plans that cause damage and cost money.
Companies typically have difficulty tracking insider activity during off-hours. The ability to work in the cloud has empowered employees to get tasks done from home and on the road, but the flip side is that off-premise apps can bypass your company’s firewall and thus expose data.
Twenty-eight percent of IT professionals surveyed by the Ponemon Institute said employees working afterhours in the office or working remotely were the two most difficult environments to monitor computer use
Ponemon Institute also released a discernable measurement of cost for undetected data breaches. Malicious attacks cost $170 to resolve per record, and they take an average of 256 days to identify. On the other hand, human error or negligence costs $137 per record and an average of 158 days to identify.
All Monitoring Methods Are Not Created Equal
Auditing user logs is time intensive for many reasons, but even with proper attention paid, these records still won’t provide enough detail to determine an employee’s actions.
A log of an employee’s use of a financial app, for example, may bring you to a dead end if the user, particularly a privileged user who has full access, covered his tracks and deleted steps.
Also, logs typically contain thousands of discrete events in obscure, hard-to-digest technical language. Companies relying on logs from apps and devices often can’t crack this language and just about find it impossible to learn what users are doing.
But major advancements continue to be made in data security technology. Companies now have a wide array of tools to help defend data by providing insight into how it’s accessed, including activity monitoring solutions that let you see, in the moment, when and how insiders are genuine threats.
A monitoring solution can use contextual information to give a fuller picture of how insiders access company data. By monitoring what employees and third-party users do on their computers, you can view in real
time or later what they accessed, when they did, and whether they manipulated or used programs and data in an unauthorized manner.
What to Look for, Who to Look at, and How to Monitor Insider Threats
As noted earlier, not everyone has bad intentions. Not all insiders seek to steal or destroy data, but many do unwittingly perform unauthorized actions that open the door to potential theft and damage by malicious outsiders.
Consistently reminding your employees and third-party users about computer protocol and establishing clear and understandable guidelines will go a long way toward curbing negligent behavior. Still, it’s easy to forget the rules, especially as employees and other insiders fly through their workdays and don’t always follow procedure
Here are some insider activities to monitor to get a bead on potential threats:
As with any other cloud app, public file-sharing services don’t give IT departments insight into what files an employee is storing and who else has access to sensitive information.
Network security approaches typically provide users with broad access to network resources. A user may have credentials to a few systems, but has visibility to entire network segments. Hackers can exploit that visibility to gain access to unauthorized resources.
Shadow IT systems can spark innovation and progress, but they also pose a great risk because they are unauthorized and not under a company’s control. Legacy security management systems are of no use.
Thumb drives are quick and easy to use, but employees can just as quickly and easily overlook that they can be Trojan horses for malware.
Emailing sensitive and confidential information seems like an easy one to prevent, but insiders often forget they shouldn’t do it, or they willfully overlook this expectation.
Insiders can view, copy or print data from private folders and applications.
If your company still relies on system logs that list thousands of events in obscure language, you’ll never have the visibility
necessary to properly monitor insiders and put your organization in the best position to minimize data theft.
A user activity monitoring solution, however, makes sense of all those actions and presents insider usage in clear, in-the-moment snapshots. It will detect and alert you to insider risks that are becoming insider threats.
A monitoring solution scrapes all activity and indexes the textual information on the screen, so you’ll know what’s happening in all applications, even in ones that do not generate logs. You’ll have a clear view, literally, of all user actions across your entire enterprise including web apps, legacy applications, and custom or homegrown applications.
For signs of heightened insider threat you can establish alerts and generate reports to detect abnormal behavior with how users are interacting with important data as well as have a visual playback of exactly what each user did. This provides the early warning system needed to reduce risk and strengthen your security.
It Doesn’t Have to be Difficult
Sure, distinguishing ordinary insider behavior from negligent and malicious behavior is a daunting task. But that’s only if your business is using outdated security measures.
Monitoring the computer footprints – and finger taps – of employees and other trusted users might give companies pause, but there’s no other effective, real-time means of keeping track of how and when insiders access your data. The pros can attest to this: Fifty-nine percent of information security professionals say the most effective way to combat insider threats is user activity monitoring.
A user monitoring solution provides real-time pictures of how employees, third parties and privileged users are handling your data. You no longer have to worry about cloud applications not providing enough detail, or insiders accessing files off-hours and remotely.
Being aware of the many threats that exist, knowing how insiders can endanger your sensitive company information, and deploying an innovative solution will give your company a measurable security advantage and the freedom to concentrate on work.
ObserveIT is the leader in user activity monitoring and analytics that enables companies to mitigate the risk of insider threats from business users, privileged users and third-party contractors. ObserveIT records, monitors, and analyses user behavior across the entire enterprise down to the application field level with zero operational impact. Analytics and coring identify users who represent the greatest risk, enabling security teams to respond before the business is impacted. Our granular user activity logs provide a detailed audit trail of all user activity to streamline compliance and internal audits. ObserveIT is trusted by over 1,200 customers in 70 countries across all verticals. For more information on Observe- IT, visit www.ObserveIT.com, or find us on Twitter @ObserveIT.