[BreachExchange] Mitigating the insider threat to your business
Audrey McNeil
audrey at riskbasedsecurity.com
Wed Jul 6 19:19:24 EDT 2016
http://www.itproportal.com/2016/06/25/mitigating-the-insider-threat-to-your-business/
This year, we have seen a steady flow of high profile data breaches hitting
the headlines. Whether the result of unknown web vulnerabilities, DDOS
attacks or overall lax corporate data security policies, data breaches are
becoming an everyday occurrence. In fact, it is generally agreed that no
organisation is safe and that hackers will get in – but they can be stopped
before they cause damage to a business.
Traditionally, organisations have concentrated their breach mitigation
efforts on catching and preventing external threats; however, many of
today’s data breaches highlight the growing threat posed by insiders. Take
the recent Ofcom breach for example, where a former employee stole a large
amount of sensitive information about various TV companies and offered it
to his new employer – a competitor of his previous company. Unfortunately,
as this case shows, when sensitive information is readily available to
employees, there is the possibility for anyone to abuse their trusted
position.
Beware the unwitting insider threat
Another problem is that many organisations believe that the insider threat
only refers to employees acting consciously and maliciously, but this isn’t
always the case. There are also those who become unwitting helpers of an
outside threat, thus the spectrum of the insider threat is usually much
wider than many organisations are aware of. In fact, the accidental insider
threat can often pose a much bigger problem for organisations, mainly
because there are so many of them.
It only takes one unsuspecting click or a casual download for an employee
to expose the entire company’s financial records. The Target breach in
2013, where cybercriminals stole the card details of 40 million customers
and the personal data of 70 million, was widely publicised, however what
many don’t know is that the hackers gained access to the retailer’s network
by stealing and using an insider’s credentials.
Ultimately, malicious or not, the end result is the same and with the
European General Data Protection Regulation (GDPR) pending, which will
include tougher penalties for businesses that fall victim to a breach, it’s
imperative that organisations are able to identify and stop both external
and internal threats before any damage is done.
Insider threats can be stopped
For too long, organisations have invested in perimeter based defences alone
– firewalls, antivirus, etc.– on the basis they can keep criminals out of
their networks. This leads to a false sense of security, and has proven
time and time again to be a failed strategy. Even if this approach worked,
it does not deal with the insider threat whereby the person is already on
the inside. In fact, it is akin to protecting castles with moats in an era
of airplanes, and organisations need to move more of their cybersecurity
investments to monitoring and response.
Only by constantly and proactively monitoring the network will
organisations be able to gain full insight into everything that is
happening. This allows any questionable or unusual activity to be
identified straightaway. Indeed, the sign of a breach could be something as
small as regularly renaming files, downloading more documents than normal,
or access to an authorised file at an unusual time of the day, and
organisations cannot always rely on the security team to spot actions that
look normal to the human eye.
Detect fast, respond fast
Rapid detection is required to identify unusual activity before it leads to
a damaging data breach. Once the anomalous activity has been detected,
organisations need to quickly and automatically respond in order to
mitigate the threat and any risk to major information assets. IT teams need
to stop thinking about users according to what they look like and start
looking at what they do, through the deployment of user behavioural
analytics tools. Using these advanced techniques, changes in the user’s
behaviour can be detected regardless if it’s the actual user doing
something bad or it’s a criminal impersonating the actual user, having
compromised or stolen their credentials.
While there is no denying that perimeter security tools still have their
merits, they cannot protect against today’s sophisticated or unsuspecting
attacks alone – in particular with regards to the insider threat. Without
the ability to know exactly what is happening on the network and understand
what ‘normal’ activity looks like, employees could potentially remove data
from the organisation and remain undetected for some time.
Train your staff
Employee training is also becoming more important than ever. Businesses
need to make staff aware of the threats and risks to sensitive information,
to ensure that it is handled and processed in the correct manner. To avoid
becoming another Target, training must also cover advanced phishing and
social engineering so that employees can become more aware of the threats
facing them. If a workforce is not educated in identifying potential
phishing scams or adopting proper secure password etiquette, then it makes
a hacker’s job a lot easier. As an extra layer of security, businesses need
to make sure they have stringent encryption and access control rules in
place that prohibit employees from viewing unauthorised data.
All things considered, speed is of the essence when combating today’s
hackers. Regardless of how good your firewalls and training programmes are,
without deep visibility, information sharing and advanced security
intelligence, companies won’t be able to stop threats as soon as they
happen. With the EU GDPR promising to increase transparency, it’s now more
crucial than ever for organisations to put tools in place that will reduce
the time it takes to identify and respond to threats – both external and
internal.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160706/f5bf208b/attachment.html>
More information about the BreachExchange
mailing list