When working to secure your business’s data and critical assets, the focus has historically been on using “outside-in” preventive technology, like network firewalls. However, with the network perimeter disappearing fast and more people working from home than ever before, it’s time to rethink this network people-perimeter strategy.
A large portion of security threats today (about 30% according to the Verizon DBIR 2020) originate from inside the organization. This is known as an insider threat and, according to Ponemon research, costs companies an average of $11.45 million annually.
Insider threats have increased 47% over the last two years. They are poised to become an even larger problem as more companies embrace remote work, magnifying the already prevalent concern of how to secure endpoints and manage negligent, accidental, or unknowing security policy infractions.
So how can companies better prepare for and protect against insider threats, given our new normal and the reality of an evaporating network perimeter? In this blog post, we’ll share five tips to better secure the organization’s critical data and assets from insider-driven risk.
Oh, and if you find this post valuable, please check out our new eBook, An Overview of Insider Threat Management, the first in a four-part series on securing the people perimeter.
1. Build User Risk Profiles
Understanding the people in your workforce goes beyond just headcounts and payroll. It requires an all-encompassing understanding of who your insiders are and what types of risk they pose. It’s worth noting here that “insider” is a term that goes beyond employees to include contractors and any third-party entity with access to critical assets on the network.
Some insiders naturally have a higher risk than others. There’s a wide range of reasons this may be the case, including high levels of privileged access (e.g. IT teams), imminent departure from the organization, or even ties to a combative nation-state.
An additional category that can be used to define certain segments of the workforce is “very attacked people” or VAPs. These individuals are high-value targets that hackers approach over and over again, hoping to find a way into the company. While such individuals vary by business and industry, they have one thing in common: risk. They are worth pursuing by hackers, because the opportunity is commensurately high.
Of course, not every high-risk user on the company network will turn into an actual insider threat. However, network security teams must find ways to mitigate the risk these users pose. One of the best ways to do this is to build user risk profiles, which is typically done using a purpose-built Insider Threat Management platform.
2. Monitor & Alert Based on Common Threat Signals
Once user risk profiles are built and assigned, the next step is to set up alerting around both high-risk users and high-risk behaviors. Every organization is different, so specific threat signals will vary from place to place. However, a library of common alerts and risk scenarios, ideally built on both security research and real-world experience, can give teams a starting point to build their monitoring program and improve their network security people-perimeter.
There are many common insider threat indicators that can be monitored by the organization in order to catch and halt threats before they evolve into something more dangerous.
When it comes to risky user activities, organizations should focus on user activities related to:
- Unauthorized cloud storage or large file-sending sites
- Disposable or temporary email clients
- USB storage devices and other removable media
- Copy/pasting, cut/copying, and large print jobs
These are among the most common indicators that an insider threat may be afoot.
3. Avoid Privilege Creep
Additionally, for privileged users, it’s imperative to remain vigilant around privilege creep. While there’s no question some users will need higher privileges to do their jobs, it’s also very common for privilege creep to occur. In other words, more people gain more privileges over time, until far too many people in the organization have far too much access—more than is truly needed to do their jobs.
To improve the network security people-perimeter, we recommend that organizations regularly audit privileges and ensure that the principle of least privilege is applied to all insiders as a best practice. If possible, use time-limited privilege grants to ensure that security holes aren’t left wide open for no good reason.
4. Educate Users—Beforehand and In Real Time
According to Ponemon’s Cost of an Insider Threat Report, 62% of insider incidents involve negligence, making them even more common than intentional, malicious insider threats. As a result, organizations must deploy a comprehensive security awareness program, with a specific focus on insider threats. Educating users ahead of time about network security policies and what constitutes risky behavior has the potential to deter the majority of insider threats.
Additionally, we recommend using real-time user education tools (like those built into ObserveIT) to remind users immediately of the rules when they attempt to take out-of-policy actions. Organizations can also set up blocking to actually prevent users from completing risky activities. This way, simple mistakes (and some intentional risky behaviors) stand less of a chance of breaching the people-perimeter of your organization.
5. Understand Motivations
Finally, when it comes to deterring both intentional and unintentional insider threats, it helps to understand motivations. If teams can understand that motivation or intent behind an action, they will have better success mitigating the risk of an incident, either by putting a stop to it early or by deploying an appropriate response.
In this blog post, we cover the common insider threat motivations, to give you a leg up in developing a response playbook that is reasonable and appropriate for each type of insider threat motivation.
This is just a small peek into some of the tips companies can employ to better detect, mitigate, and respond to insider threats and build a stronger network security people-perimeter. To dive deeper into the topic of the people side of ITM, download Step One: An Overview of Insider Threat Management, part of our brand new e-book series: Securing Your People Perimeter – Protection Starts with People.
Download the eBook: