September 2021 marks the third National Insider Threat Awareness Month. This month is promoted by the United States National Counterintelligence and Security Center (NCSC), as they work across agencies to detect and mitigate the risk of insider threats. So what is an insider threat, why should we care, and what can we do about them? Experts below share their best practices to help what cost businesses over $2.7 million in 2020.
Insider threats can be deliberate or accidental and have increased by 47% in the past two years. According to Danny Lopez, CEO of Glasswall, “while it’s easier to assume it could never happen to your organization, taking responsibility for your security before an attack occurs is always the best option. Not all insider threats are malicious. In fact, many victims are completely unaware that their credentials were compromised in the first place. Employee training can be helpful in some cases, but it often overlooks the sophistication of cybercriminals and can create a fear-based culture where people are afraid to come forward if they’ve made a mistake. Your employees should not be your only line of defense against cyberattacks.”
As we normalize working from home and increase the speed at which we share more data, employees have access to greater amounts of information than ever before. Critical contributors to insider threats include employee turnover, poor data governance controls, and negligence. To proactively combat insider threats, Neil Jones, cybersecurity evangelist of Egnyte shared, “a good first step to preventing ‘data leakage’ is to utilize a data governance platform that leverages machine learning, so that sensitive information is available to the correct organizational users, based on their business ‘need to know.’ Negligence can be combated with proper training, and by limiting access to files across the company. There is no reason that someone in the finance department should have access to road-mapped product development plans, without justifying their request with the product development team first.”
Software can help to avert the effects of a cyberattack before they ever happen in various ways. Carl D’Halluin, CTO of Datadobi , suggests enterprises have a proper plan in place as best practice to combat an insider threat. “As organizations increasingly rely on unstructured data to perform day-to-day business-critical functions, they need to maintain prompt access to their data in the event of a disruption. An effective way to avoid downtime in the event of an insider threat is creating a ‘golden copy’ of business-critical data. Enterprises should maintain a secure golden copy of unstructured data in an air-gapped physical or cloud-based location. Limiting access to a golden copy decreases the chances of downtime either from an accidental human error or malicious insider threat.”
In another strategy, Alex Pezold, CEO of TokenEx, explains tokenization as a data protection strategy. “By using tokenization, companies can minimize risk by removing sensitive data from their environments so that it cannot be compromised if their internal systems are breached. So even if a security control fails and allows a database to be accessed, only tokens will be available to the intruder while the original sensitive data is safely stored offsite."
With another method to protect data, Steve Moore, chief security strategist of Exabeam notes that “utilizing behavioral analytics that can track and analyze user and machine data is critical. Behavioral analytics technology can identify threats lurking within an organization by determining whether certain behaviors are normal or a potential cause for alarm. For example, has this employee from this department ever signed into this system before, anyone from her department? Different kinds of unusual activity that are typical signs of insider threats, such as large data uploads, credential abuse, or unusual access patterns, can be detected this way.”
Among having protected golden copies of data, tokenization, and behavioral analytics, it is important to think about which solution makes the most sense for your organization and what insider attacks may be most devastating to your data. As Raffael Marty, senior VP of cybersecurity products of ConnectWise summarizes, “Preparedness is about planning for the day that something happens and it should cover simple things like what the organization does when an employee leaves and goes all the way to establishing preparedness for a sabotage event like ransomware or electronic time bombs. It starts with monitoring devices but expands to understanding what employees are doing and making sure they are trained on cyber security issues like phishing, which is still one of the main initial vectors of attacks.”