Security Experts:

Connect with us

Hi, what are you looking for?


Security Architecture

How to Mitigate the Threat Within

Depending on the study you consult, 74 percent to 90 percent of organizations believe they are vulnerable to insider thre

Depending on the study you consult, 74 percent to 90 percent of organizations believe they are vulnerable to insider threats. The truth is, the number should be 100 percent as no organization is immune. But that doesn’t mean we all have employees who are malicious. Far from it. Recent analysis by Ponemon (PDF) finds that careless employees or contractors were the root cause of 64 percent of the 3,269 insider incidents analyzed – not criminal or malicious insiders, or a credential thief. There are lots of ways insiders can inadvertently expose their organization to risk. For example, Digital Shadows recently discovered over 500 SAP configuration files on insecure file repositories over the Internet, as well as employees sharing ERP login credentials in public forums. Employees and third-party contractors helping to implement and maintain these types of systems are unwittingly providing cybercriminals with a gold mine of information.  

We’ve long been aware of insider threats and over the years organizations have taken steps to mitigate risk. Some of this has been in response to regulatory compliance. For example, when the Sarbanes-Oxley Act (SOX) was passed more than 15 years ago, many organizations put measures in place to control access privileges and segregate duties. The new General Data Protection Regulation (GDPR) which came into force on May 25, 2018 is yet another impetus to strengthen accountability and data stewardship. Also putting a spotlight on risk mitigation is the continuous stream of breaches in the headlines and the corresponding fallout to organizations. Cyber risk is now one of the top business risks globally. Executives and boards of directors are asking security leadership what they can do to be better prepared to mitigate risk.

As a security professional, it’s time to take a fresh look at what your organization can do to compensate for insider negligence. Whether you’re managing access, segregating duties, segmenting the network, relying on security technologies to detect anomalous behavior, or applying incident response playbooks, you’re limiting the effectiveness of these security measures unless you do your homework.

The homework I’m referring to is managing your data classification – understanding your data and where it is. You don’t have to protect all your data, just the data you consider to be the “crown jewels.” This could be customer information, employee records, intellectual property, trade secrets, confidential data related to merger and acquisition activity, etc. This isn’t a trivial task, but it’s essential to thwart insider threats.

You now have the foundation to recognize and implement consistent access privilege management – who needs data access and the true scope of what they legitimately need to get their jobs done. SOX requires access privileges be reviewed every 90 days. However, 90 days is a long time if an insider is being unwittingly used, or for access privileges to remain active even though an employee may have changed roles during that p
eriod. Fortunately, because you’ve done your homework, you can apply automation successfully to validate privileges more frequently. By mapping employee roles within human resource systems to access rights, privileges can be updated in near real time. You are also better able to spot opportunities to segregate duties and require two or more individuals or departments to share responsibilities for key processes. Segmentation is also more effective when you have a clear picture of how to restrict access to applications and data and limit the potential for negligence.

Data classification and consistent protection throughout the lifecycle goes a long way toward insider threat prevention. But what about detection and containment? The same analysis by Ponemon finds that it takes an average of 73 days to contain an insider threat. You’ve made significant investments in layers of defense like intrusion detection systems, data leakage prevention, and endpoint protection. You may have also invested in User and Entity Behavior Analytics (UEBA) designed to look at patterns of behavior of people and systems. These tools can automate many of the laborious tasks to detect, monitor, and alert you to suspicious or malicious activity. Orchestration tools and playbooks can automatically respond to contain an attack. But if your tools don’t know what’s normal and acceptable, they can’t detect misuse and act.

One of the challenges is that data, data sources, data location, and users of that data continuously evolve. Mergers and acquisitions, digital transformation projects, and growth are just some of the events that can blur your understanding of the data you have, where it resides and how it is used. It’s easy to lose control of your data in a dynamic environment. Periodic review of your data and their classifications is essential.

You can prevent insider-related incidents and accelerate detection and containment when an attack does happen. Just remember, your defenses and automation only work effectively when you do your homework. And if you’ve engaged in data classification exercises in the past, it’s probably time to do so again.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...


Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Security Architecture

ChatGPT is increasingly integrated into cybersecurity products and services as the industry is testing its capabilities and limitations.

Risk Management

In this virtual summit, SecurityWeek brings together expert defenders to share best practices around reducing attack surfaces in modern computing.

Incident Response

Implementation of security automation can be overwhelming, and has remained a barrier to adoption

Application Security

Vulnerability researchers at Google Project Zero are calling attention to the ongoing “patch-gap” problem in the Android ecosystem, warning that downstream vendors continue to...