[BreachExchange] How to spot and prevent insider threats

[Destry Winant]

http://www.csoonline.com/article/3202770/access-control/how-to-spot-and-prevent-insider-threats.html

In June, Netherlands-based web hosting provider Verelox had to
completely shut down its services, preventing customers from accessing
their data and virtual servers.

Was this another example of ransomware? An outside hacker up to
mischief? Nope. The company’s headaches were caused by a disgruntled
ex-employee who “deleted all customer data and wiped most servers,”
according to Verelox, as quoted in International Business Times.

Fortunately, Verelox bounced back a few days later, without losing any
important data. But many similar incidents don’t have such a positive
outcome. And experts say the insider threat to corporate data is
growing. Here’s what you need to know—and how to minimize the risks.

Setting the stage for insider threat

Fluid workforces, with countless contractors scattered globally,
combined with a growing dependency on cloud services as well as BYOD
devices, are ushering in a new era of insider threat-related security
risks, notes Rich Campagna, SVP of product for cloud access security
broker Bitglass.

Remote workers in particular can pose a growing threat, adds Mike
McKee, CEO of ObserveIT, an insider threat monitoring and analytics
software provider. “One executive told me his company has 1,000
developers in India who have the company’s source code, not to mention
500 contractors in China, and it’s hard to accurately know what the
risk is,” he says. McKee adds that remote workers in home offices
could be more tempted to sell or exploit a company’s proprietary
information, vs. employees surrounded by colleagues in a corporate
office.

At the same time, companies are storing more data in the cloud, and
the more data that’s out there, the higher your risk of data theft.
“The marginal cost of storage is essentially zero today, so
organizations have little incentive to delete data,” notes Merritt
Maxim, senior analyst, security and risk, for research firm Forrester.
“So they just store everything. That means there is more potential
data available to steal.”

Plus, with all the money to be made on the dark web selling user names
and passwords, not to mention the growing value of source code and
other intellectual property, there’s plenty of reason to be concerned
about data theft by former or exiting employees. Security firm
Flashpoint identified a software company employee who attempted to
sell source code for about $15,000, PCWorld reported.

Of course, not all insider threats are malicious. “We’ve seen new
employees come on board that still have access to their previous
employer’s email system on their personal devices,” Campagna says,
noting the role BYOD can play in inadvertent insider data leaks.

The insider threat is real

Data theft by departing or current employees is a growing (and
potentially costly) problem, as research shows.

In a 2017 survey of security professionals from Haystax Technology, 56
percent of respondents said insider threats have grown more frequent
in the past year. And 75 percent of respondents believe the costs of
insider breach remediation could reach $500,000.

According to a 2016 IBM study, insiders are responsible for 60 percent
of all data breaches. Of those breaches, 75 percent were done with
malicious intent and 25 percent were accidental. A 2017 Verizon survey
puts the number of insider-led data breaches even higher, at 77
percent.

Accenture’s 2016 “State of Cybersecurity and Digital Trust” survey
found that insider data theft and malware attacks are the top concerns
of enterprise security executives. Most respondents, 69 percent, said
their company had experienced an attempted or successful theft (or
corruption of data) by insiders within the prior 12 months.

More than 1 in 4 respondents to a 2015 Biscom survey admitted taking
data when they left a company. Of those, 85 percent said they took
materials they created and didn’t feel it was wrong. And 95 percent of
those who took data said it was possible because their employer didn’t
have the tools or policies to prevent them, or that if their company
did have policies, they ignored them. (Biscom is a secure file sharing
service provider.)

3 things you can do to prevent insider threats

Automate the process of wiping devices

Many enterprises use Microsoft’s Active Directory (AD) service for
centralized user account management, says Campagna. When an employee
departs, someone in HR typically deactivates that employee’s AD
record, he explains. That deactivation should serve as a trigger to
automatically wipe the data off the exiting employee’s devices, he
adds. But too often that process is done manually, for various and
often complex reasons.

But Campagna encourages enterprises, whenever possible, to use mobile
device management, identity systems, and other security tools that
automatically sync to AD to trigger automatic data wipes. This can
help prevent departing users from continuing to access company data,
especially on cloud services that don’t require users to log out
periodically. For example, if due diligence isn’t performed, an
employee might continue using his or her company email account for
days, if not weeks, after leaving.

Automation is key to minimizing the insider threat of a former
employee, Maxim agrees. “This is where identity management solutions
come into play because they can automate the de-provisioning process
to ensure that users are removed from systems when they leave the
company.”

Maxim adds that such solutions “must still be accompanied by strong
internal governance, such as internal audits to verify that the
accounts were actually removed and that there is accountability to
identify and correct gaps in the system, such as managers who don’t
follow the off-boarding process in a timely manner. Two-factor
authentication can also help by making it harder to crack back into
systems.”

Get HR, legal, security and business management working together

Ideally, teams across your organization should collaborate to identify
insider threats and prevent them from happening, advises Ryan LaSalle,
the Global Managing Director of Growth and Strategy at Accenture
Security.

“The first step is to know your users,” LaSalle says. “Who are they?
What are their roles? What should they be doing? Knowing your users
and what access they should have, what normal looks like for them, is
one of the biggest steps you can take to protect yourself.”

Next, know your data, LaSalle continues. “Where is it? Who has access
to it? What’s its value? If you know its value, you can better
identify risks and put better protections around it.”

Finally, collaborate with HR, legal and business management to better
connect the dots between your security monitoring tools and what’s
going on in your business.

“Security teams don’t usually have the context of what the users
should be doing,” LaSalle explains. “And business managers don’t
usually understand the risks that security is trying to defend
against.” That’s why it’s important to have these teams work together
to get the big picture, he says.

Don’t forget the human element

“So much of IT security is about machines, IP addresses and
networks—and not people,” notes McKee. “Don’t forget that there’s a
person involved in every data breach, and understanding what they did
before and after that breach is important, so you can be predictive
and proactive instead of just being reactive.”

It’s essential for managers to stay close to their direct reports,
Lasalle adds. “Managers are more likely to know when employees are
disgruntled or under financial duress or are getting ready to leave,
and all of those can be insider threat predictors. Your managers
should be your first line of warning against those threats.”