Aug 27 2015

How to Defend Against Insider Threats

Businesses must prepare for inevitable cyberattacks triggered by employees.

The classic Hollywood portrayal of a lone hacker in a dark room in a country far away might sell popcorn, but it shouldn’t take business owners off their guard.

In the real world, the person behind an organization’s next security breach might be much closer than anyone realizes. A recent PwC survey on the state of U.S. cybercrime found that nearly 30 percent of all security incidents were triggered by insiders, which include employees, trusted contractors and partners.

Many insider incidents are not intentional. For example, a user might accidentally email a file containing highly sensitive information to an external address. But, for a small percentage of companies, such data breaches are no accident. Internal users with easy access to sensitive data steal it through emails, file sharing, removable media and even data printouts or photo downloads.

Insider data exfiltration can be more difficult to detect than other kinds of incidents because insiders typically enjoy authorized access to the data they are stealing.

Because people ultimately remain a part of the data security equation, it is impossible for SMBs to prevent every insider incident. They can, however, follow some straightforward steps to better protect sensitive data in the first place, and improve detection while blocking future attempts.


Percentage of businesses that report having a plan for responding to insider threats

SOURCE: PwC, “U.S. Cybercrime: Rising Risks, Reduced Readiness,” June 2014

Develop a Plan

Policies and procedures are the most common security controls used to combat insider threats, according to “Insider Threats and the Need for Fast and Directed Response,” a survey by the SANS Institute. Given the percentage of incidents caused by insiders, those controls often seem ineffective.

While it’s important to ensure that policies and procedures regarding user behavior and acceptable use stay up to date, SMBs should give serious consideration to developing, implementing and regularly updating a mitigation plan for insider threats.

SMBs should have the ability to identify potential vectors for insider incidents — including both SMB-controlled and external paths such as social media, personal email accounts, personally owned flash drives or mobile devices — then determine how to detect and block attacks that incorporate each of those vectors.

The plan also should provide guidance on how to handle successful insider incidents.

Maintaining policies and following a sound security plan should significantly reduce the frequency and severity of incidents and help SMBs to more quickly detect and stop those that still occur, limiting their overall damage.

Control Access Points

Many of the security controls highlighted by an insider threat mitigation plan involve access control in one form or another. Some forms of access control — such as least privilege — are purely preventive.

Least privilege allows a user access only to the data necessary to perform his or her job. Every SMB should follow least privilege for all sensitive data access, which alone can significantly reduce the number of security incidents. Store Centrally

Store sensitive data centrally whenever possible and grant user access only through restricted interfaces. Basically, instead of allowing users to view and manipulate enterprise databases directly, SMBs should let users see individual database records on an as-needed basis through an enterprise-controlled application.

Audit Regularly

To detect incidents, SMBs should make heavy use of auditing to track access to sensitive data. Not only is auditing the best way to find the source of an insider breach, but also it can prove a powerful deterrent when users are aware that actions involving sensitive data are monitored for signs of unusual activity.

Prevent Data Loss

A final access control technology that’s critically important for insider incident detection is data loss prevention, which examines an SMB’s outbound network communications (emails and file transfers) as well as host-based activities (copying files to removable media).

Scans can flag instances of any sensitive data handled in violation of the SMB’s policies. Remediation actions can range from warning a user about the policy violation or quarantining a suspicious email to disabling a user’s accounts and alerting incident responders.

Initially intended for larger enterprises, today’s DLP solutions are available to organizations of any size through inclusion in unified threat management technologies or even cloud-based DLP service providers.

Andrew Brookes/Corbis

aaa 1