The greatest threat to an organisation is no longer the hacker attacking from beyond the physical and network walls but the insiders already within those walls, and equipped with an all-access pass. An insider threat may be a malicious employee or stakeholder who consciously or unwittingly exfiltrates data, sabotages IT systems, or manipulates data and [...]

The Sunday Times Sri Lanka

Future of ‘Insider Threats’

View(s):

 The greatest threat to an organisation is no longer the hacker attacking from beyond the physical and network walls but the insiders already within those walls, and equipped with an all-access pass. An insider threat may be a malicious employee or stakeholder who consciously or unwittingly exfiltrates data, sabotages IT systems, or manipulates data and systems, or be a former employee, board member, or anyone who at one time had access to proprietary or confidential information from within an organisation. Contractors, business associates, and other individuals or third party entities who have knowledge of an organisation’s security practices, confidential information, or access to protected networks or databases also fall under the umbrella of insider threat.

Insider threat events are infrequent than external attacks but they usually pose a much higher severity of risk for organisations when they do happen. In one study by Gartner that examined malicious insider incidents, 62 per cent involved employees looking to establish a second stream of income off their employer’s sensitive data, 29 per cent stole information on the way out of  the door to help future endeavours and 9 per cent were saboteurs. Information of huge value measured is stored digitally and insiders put that value at risk. Cases of trusted insiders who abused their privileges to remove data include theft and disclosure of classified information by Edward Snowden and exfiltration of several million files from the secure network of GE Healthcare by Jun Xie.

The insider threats are often disgruntled employees or ex-employees who believe that the organisation has ‘done them wrong’ and feel justified in gaining revenge. Ponemon reported that 43 per cent of businesses need a month or longer to detect employees accessing files or emails they’re not authorised to see and 62 per cent of business users report that they have access to organisation data that they probably should not see. As a result, when they break policy accidentally or choose to steal, their actions stand to do a tremendous amount of damage to an organisation. The risk posed by insider threats, along with some of the common shortfalls in IT security, unnecessarily expose organisations to higher insider risks.

Unwitting accomplice

More often, the insider is an unwitting accomplice who falls prey to social engineering and clicks malware in a phishing email. 45 per cent of IT executives say malicious insider attacks is one of the email security risks they are most ill-prepared to cope with, according to a study by Mimecast. In the cyber-attack against Ukrainian power companies, malware implanted through a phishing email targeting IT staff and system administrators allowed malicious outsiders to gain insider access to the system. This also applies to an outside person who poses as an employee by obtaining false credentials. They obtain access to the computer systems or networks, and then conduct activities intended to cause harm.

Insider threats often begin with an individual or entity being given authorised access to sensitive data or areas of a company’s network. Many individuals with authorised access are also aware of certain security measures which they must circumvent in order to avoid detection. When an individual decides to use this access in ways other than intended – abusing privileges with malicious intent towards the organisation – that individual becomes an insider threat. Insider threats also don’t have to get around firewalls or other network-based security measures since they are already operating from within the network. For instance, a former employee using an authorised login won’t raise the same security flags as an outside attempt to gain access to a company’s network.

Businesses are built on teams and require counterparts to trust and support one another, making it difficult for colleagues to acknowledge warning signs and red flags when they are present. This further complicates the challenges that exist in successfully defending against insider threats. Often, warning signs are present but may go unreported for years because colleagues of these individuals are unwilling or hesitant to accept the idea that a trusted co-worker could be engaged in treason. Insiders convicted of espionage have often been active for years prior to being caught, leading to incomprehensible security risks within the organisation.

Often difficult to detect

Organisations overwhelmingly continue to direct security funding to traditional network defences that fail to prevent damage from insiders. However, there is an overall lack of knowledge and visibility into user access and data activity that is required to sufficiently detect and defend against insider threats; the nature of insider threats is different from other cybersecurity challenges; these threats require a different strategy for preventing and addressing them. Hence, the insider threats are often more difficult to detect and block than outside attacks.

Insider theft and negligence are real – and so are the practices that amplify the risks. If the organisations wish to protect themselves from insider threats, addressing insider threats to sensitive data is a critical component of any modern security program and the security strategy should combine comprehensive data on user and system behaviour, advanced analytic tools and automated incident-response. Organisations should also implement user activity monitoring, privileged user monitoring, and third party monitoring to detect cybersecurity incidents which are unintentional. And with a little education and an Insider Threat Programme  an organisation can reduce these security incidents in half. Organisations will have to balance privacy and security, while the government will have the added responsibility of regulating privacy.

(The writer is a Governance, Risk and Compliance professional and Director at Layers-7 Seguro Consultoria Pvt Ltd. He is the founding member and Secretary of the (ISC)2 Chennai Chapter and a board member of the (ISC)2 Colombo Chapter. He can be emailed at  sujit@layers-7.com)

Advertising Rates

Please contact the advertising office on 011 - 2479521 for the advertising rates.