Depending on the study you consult, 74 percent to 90 percent of organizations believe they are vulnerable to insider threats. The truth is, the number should be 100 percent as no organization is immune. But that doesn’t mean we all have employees who are malicious. Far from it. Recent analysis by Ponemon (PDF) finds that careless employees or contractors were the root cause of 64 percent of the 3,269 insider incidents analyzed – not criminal or malicious insiders, or a credential thief. There are lots of ways insiders can inadvertently expose their organization to risk. For example, Digital Shadows recently discovered over 500 SAP configuration files on insecure file repositories over the Internet, as well as employees sharing ERP login credentials in public forums. Employees and third-party contractors helping to implement and maintain these types of systems are unwittingly providing cybercriminals with a gold mine of information.
We’ve long been aware of insider threats and over the years organizations have taken steps to mitigate risk. Some of this has been in response to regulatory compliance. For example, when the Sarbanes-Oxley Act (SOX) was passed more than 15 years ago, many organizations put measures in place to control access privileges and segregate duties. The new General Data Protection Regulation (GDPR) which came into force on May 25, 2018 is yet another impetus to strengthen accountability and data stewardship. Also putting a spotlight on risk mitigation is the continuous stream of breaches in the headlines and the corresponding fallout to organizations. Cyber risk is now one of the top business risks globally. Executives and boards of directors are asking security leadership what they can do to be better prepared to mitigate risk.
As a security professional, it’s time to take a fresh look at what your organization can do to compensate for insider negligence. Whether you’re managing access, segregating duties, segmenting the network, relying on security technologies to detect anomalous behavior, or applying incident response playbooks, you’re limiting the effectiveness of these security measures unless you do your homework.
The homework I’m referring to is managing your data classification – understanding your data and where it is. You don’t have to protect all your data, just the data you consider to be the “crown jewels.” This could be customer information, employee records, intellectual property, trade secrets, confidential data related to merger and acquisition activity, etc. This isn’t a trivial task, but it’s essential to thwart insider threats.
You now have the foundation to recognize and implement consistent access privilege management – who needs data access and the true scope of what they legitimately need to get their jobs done. SOX requires access privileges be reviewed every 90 days. However, 90 days is a long time if an insider is being unwittingly used, or for access privileges to remain active even though an employee may have changed roles during that p
eriod. Fortunately, because you’ve done your homework, you can apply automation successfully to validate privileges more frequently. By mapping employee roles within human resource systems to access rights, privileges can be updated in near real time. You are also better able to spot opportunities to segregate duties and require two or more individuals or departments to share responsibilities for key processes. Segmentation is also more effective when you have a clear picture of how to restrict access to applications and data and limit the potential for negligence.
Data classification and consistent protection throughout the lifecycle goes a long way toward insider threat prevention. But what about detection and containment? The same analysis by Ponemon finds that it takes an average of 73 days to contain an insider threat. You’ve made significant investments in layers of defense like intrusion detection systems, data leakage prevention, and endpoint protection. You may have also invested in User and Entity Behavior Analytics (UEBA) designed to look at patterns of behavior of people and systems. These tools can automate many of the laborious tasks to detect, monitor, and alert you to suspicious or malicious activity. Orchestration tools and playbooks can automatically respond to contain an attack. But if your tools don’t know what’s normal and acceptable, they can’t detect misuse and act.
One of the challenges is that data, data sources, data location, and users of that data continuously evolve. Mergers and acquisitions, digital transformation projects, and growth are just some of the events that can blur your understanding of the data you have, where it resides and how it is used. It’s easy to lose control of your data in a dynamic environment. Periodic review of your data and their classifications is essential.
You can prevent insider-related incidents and accelerate detection and containment when an attack does happen. Just remember, your defenses and automation only work effectively when you do your homework. And if you’ve engaged in data classification exercises in the past, it’s probably time to do so again.
