Every organization has to deal with cyber security breaches. Large and small, public and private, commercial and non-profit – all companies have data that is crucial for their daily operations, and this data needs to be thoroughly protected.
Every company protects data, but some are more diligent about it than others. Some companies heavily invest in security to cover all potential vectors of attack. Others stick to complying with regulations and don’t invest beyond that. Still others simply limit investment to the bare essentials such as antivirus software and firewalls without considering other threats their data faces.
In reality, your data can be compromised in a variety of ways, with some threats originating from outside your organization and others coming from within.
The scope of insider threats
According to a cyber security report by Intel, 43% of data loss in 2015 was caused by insiders. This includes both data lost due to malicious insider attacks as well as due to inadvertent employee mistakes.
Moreover, insider breaches are becoming more frequent as evidenced by the 2016 Insider Threat Spotlight Report, which also says that 74% of companies don’t feel prepared to face insider threats.
These numbers show us that insider threats are a serious issue for the majority of companies. However, some companies are affected more than others. Malicious insiders pose the greatest threat to government, healthcare, financial, and educational institutions, outpacing external actors in those sectors in terms of the number of data breaches they’re responsible for.
However, even if you aren’t in one of the more vulnerable industries, you still shouldn’t neglect potential insider-related data breaches. As evidenced by the 2014 breach of British retail chain Morrisons – one of the bigger recent cyber security breaches, which resulted in a leak of sensitive data about 100,000 employees – no industry is fully secure from insider attacks.
The danger of insider threats
Besides the fact that insider threats are widespread, they’re also particularly hard to deal with. When talking about what exactly makes insider threats so dangerous, there are three main factors that need to be considered.
1.Insider attacks are hard to detect
Any person with legitimate access to sensitive data can be considered an insider. The scope of access determines the level of risk an employee poses.
If employees have legitimate unlimited access to sensitive data, it’s very hard to distinguish potential misuse from their regular work routines. Even if employees’ access is limited, they can still use their influence to get other credentials or alter permissions without raising suspicion.
As a result, it can easily take years to detect data theft or misuse by malicious insiders. Without a way to see what exactly your employees are doing during sessions with sensitive data, you can only hope for carelessness or a mistake on their part to help you detect a cyber security breach.
2.Insider attacks are costly to remediate
Even if a data breach is detected right away, it can be very costly to remediate depending on the scope. The costs of notifying all affected parties, dealing with public relations fallout, conducting an investigation, and trying to minimize the damage add up quickly – not to mention dealing with potential lawsuits.
The longer a breach goes undetected, the more these costs rise. Further, attackers usually stay in systems and keep compromising data, which keeps adding to remediation costs.
Considering that the average detection time for an insider attack is long, insider breaches on average cost more than any other type of attack, a conclusion supported by cyber security breach statistics as reported in the 2015 cost of cyber crime study by Ponemon. Another factor adding to the cost is additional challenges in investigating insider threats.
3.Insider attacks are hard to investigate
The fact that insider attacks are so hard to detect contributes to the difficulty of investigating them. But even beyond the difficulty of detection, it’s easy for a tech-savvy user with legitimate access to cover misuse.
Even if perpetrators get caught, they can always deny any malicious intent and claim that they simply made a mistake. In some cases, it can be hard to prove guilt and thus prosecute the perpetrator.
The difficulty of investigating and prosecuting coupled with the potential damage to value and reputation leads many organizations not to disclose data breaches caused by malicious insiders. As a result, insider attacks often go unreported, leading other companies to underestimate their frequency and associated risks.
Types of breaches to consider
There are numerous scenarios for insider breaches, and it’s impossible to be prepared for everything. However, there are certain types of incidents that occur frequently enough and affect enough companies across a wide range of industries to be considered more or less universal.
We’ll look at five types of insider threat-related incidents that are extremely widespread. By putting controls in place that cover these five cases, you’ll be able to cover the majority of your insider threat-related risks regardless of the industry you’re in and the size of your company.
1.Data misuse by privileged users
Privileged users are the most dangerous insiders since they have the most access to your company’s sensitive data. This means that privileged users have more opportunities to leak data by mistake, misuse data, or steal data than anyone else within your company.
One of the most frequent cases of insider attack by privileged users is fraud via data misuse. Employees often look up clients’ personal information and then sell it, use it for personal gain, or use it to process fraudulent transactions.
One of the latest examples of this is a case that concluded earlier this year; an employee of the Jeffersonville Bank was sentenced to prison for fraud and money theft. The crime involved illegal withdrawals of more than $300,000 total over the course of several years. The employee illegally accessed and used client data to commit this fraud.
Fraud and data misuse by employees aren’t rare in the financial industry, which is known for frequent insider trading scandals. In order to prevent such cases, you need to both carefully manage user access and be able to see exactly what users are doing with data.
- Perform regular background checks
Regular background checks and screenings will help you learn about any sudden changes in financial positions or lifestyles of your employees. If employees suddenly increase their spending, pay up debts, or start traveling way more than usual without any obvious reason, it’s worth looking into whether they’re misusing company data for personal gain.
- Limit the number of privileged users
The fewer users have access to sensitive data, the easier it is to protect company from cyber security breaches. Therefore, you should always use the principle of least privilege to limit the number of privileges each user has. You should also try to divide any tasks involving sensitive data among several users. Forcing users to cooperate greatly reduces the risk of any one of them misusing data.
- Control access to sensitive data
You should always use an access control system that allows you to distinguish among users of shared accounts (for example, system administrators) and that serves as an additional layer of login protection. Access control also allows you to know who accesses sensitive data and when, thus aiding in both detecting and investigating insider attacks.
- Monitor user actions
It’s important to be able to clearly see what privileged users do with your company's sensitive data. User action monitoring software provides full video recording of user sessions, allowing you to see exactly what's going on.
Such software serves both as a deterrent as well as a powerful detection and investigation tool. Real-time alerting functionality allows you to detect suspicious incidents quickly, while a tamper-proof audit trail serves as a solid basis for finding and prosecuting a perpetrator.
2.Data leaks by third-party vendors
After privileged users, the second-most risky insiders are subcontractors and third-party providers. Nowadays, every company works with a variety of contractors and third parties, most of whom have remote access to company infrastructure, which often includes sensitive data.
The problem lies in the fact that it’s impossible for a company to control what's happening on the remote user's end. Even if your own security is rock solid, there’s no real way to tell whether a subcontractor upholds the same high standards.
In 2013, US retail chain Target suffered a huge data breach that exposed approximately 40 million credit card numbers. This IT security breach was caused by a hacker who got into Target’s system by compromising a third-party vendor and using their legitimate access. The Target case shows that even large companies are not immune to insider threats coming from third-party vendors and subcontractors.
Preventing insider attacks by subcontractors and third-party vendors is extremely hard. All you can really do is screen your partners carefully and make sure you know exactly what they’re doing with your data.
- Evaluate the security of third-party vendors and subcontractors
Your best chance to assess the cyber security of a third-party vendor is when you’re choosing the company you’re going to work with. It’s best to not only get a complete overview of the security controls a third-party vendor has in place, but also, if possible, to go to their office and see in person the security they have.
Beyond that, you should put your expectations regarding cyber security into your contract with a third-party vendor. Formalizing security standards and procedures in a written agreement allows you to make sure they’re followed in the future.
- Control access and monitor user behavior
As with the data misuse by privilege users, access control and user action monitoring are your prevention, detection, and investigation tools when it comes to insider threats. It’s extremely important to know what subcontractors and third parties are doing with your company’s sensitive data, and the only way to reliably do this is to have full recordings of every session available when necessary.
- Use temporary access solutions
Another way to limit potential cyber security breaches by subcontractors and third parties is to limit their access to your infrastructure as much as possible. To this effect, you can use temporary access solutions such as one-time passwords to give access to third parties and subcontractors only when they need it. A system administrator can manually approve each connection, thus fully controlling when data is accessed and what users do with it.
3.Industrial espionage by former employees
Another group of insiders that poses a high risk of conducting insider attacks is employees who either have received notice of termination or have decided to quit the company themselves. Such employees often think they don’t have anything to lose and may want to take advantage of their final weeks in the office to misuse or compromise data.
Industrial espionage is one example of how former employees can use your sensitive corporate data for personal gain. For example, earlier this year Waymo, a subsidiary of Alphabet Inc. that took over Google’s self-driving car business, sued Uber for infringement of intellectual property. Waymo accuses three of its former employees, including former project lead Anthony Levandowski, of stealing proprietary research data before quitting the company.
This case shows how former employees can take proprietary data, including intellectual property, product, and marketing information, as well as client details, and then use it to start a competing business or transfer it to a competitor.
To prevent cyber security breaches of this type, you need to carefully manage user access and monitor behavior to make sure there are no incidents.
- Make sure employee access is revoked immediately upon termination
Often times, companies fail to revoke employee credentials after termination. This leads to situations where employees who no longer work at a company can still access its infrastructure. This allows them to easily steal data or otherwise damage the company without being noticed.
In order to avoid this type of situation, make sure that employee credentials are revoked immediately upon termination. Another compelling reason to revoke credentials is the fact that unused credentials are a security liability that can be exploited by external attackers.
- Monitor employee behavior before termination
Apart from making sure that credentials of terminated employees are revoked as soon as possible, the only thing you can do to prevent or detect an insider attack is closely monitor the actions of employees who are leaving your company with regard to sensitive information. With user action monitoring software, you can gain clear insight into how terminated employees use their access to sensitive data in the last couple of weeks in the office: you can see whether they copy any information without authorization or install any backdoors to access data at a later date.
4.Compromise of trusted accounts via phishing
When thinking about insider attacks, you must not only consider instances of employees using their own credentials for malicious purposes, but also of situations where credentials become compromised and used by external perpetrators to gain access to your infrastructure.
One of the most popular tactics for compromising employee credentials is phishing emails. One famous phishing attack happened in 2015, when the Sony PlayStation Network was hacked and brought down by perpetrators who used phishing to get into the system.
Phishing emails are often used to infect a receiving computer with malware, which allows perpetrators to easily access your infrastructure and all your sensitive data. With a phishing attack, an employee is prompted to either click on a malicious link or download a malicious attachment that triggers the infection. Phishing emails are often used in tandem with social engineering to trick employees into revealing their own credentials to a perpetrator. In this case, the perpetrator can then use a legitimate set of credentials to target your company’s sensitive data, which makes them more or less indistinguishable from a malicious insider.
- Set up email spam filters
Spam filters are your first line of defense against phishing emails. Make sure your email server is properly configured and that all the necessary filters are up and ready.
You should also educate your employees on the dangers of socialengineering and phishing emails in order to make sure they don’t fall victim to malicious links or attachments.
- Keep your software up to date
The majority of malware out there is based on existing vulnerabilities. By simply applying every official update as soon as possible for all software that you use, you can protect yourself from a large portion of malware spread via phishing emails.
Malware filters and anti-malware suites should catch some zero-day malware. But ultimately, there’s no way to fully protect yourself from malware. The best you should strive for is to be able to detect it early and deal with it quickly.
- Control access and monitor user actions
Perpetrators who use compromised employee credentials to access your corporate infrastructure are essentially indistinguishable from malicious insiders. You can use traditional insider threat detection tools like access control and user action monitoring to detect such intruders.
Alerts about unusual login times or unusual actions performed during a session are your cue that a malicious insider is in the system. Whether it’s a compromised account or a planned attack by an employee can be determined with a thorough investigation.
5.Inadvertent data leakage
Not all insider-related data breaches are caused by malicious perpetrators. In fact, almost half of all insider-related incidents are inadvertent. A recent example of this is the Verizon database leak that exposed records of 14 million customers. The leak was caused by an employee who made the whole database public by mistake.
Employees are never perfect, and thus mistakes cannot be fully avoided. The best you can do is educate your employees on the importance of following proper cyber security procedures and formalize those procedures as a written security policy in order to prompt employees to pay more attention to their actions. Beyond that, your best bet is to detect mistakes quickly and remediate them as soon as possible. Often, employees themselves don’t realize they’ve made a mistake. In this situation, traditional insider threat detection techniques can prove effective.
- Educate employees
It’s important that your employees realize the consequences of disregarding existing cyber security policies. By teaching them why following all cyber security procedures is necessary, you transform them into assets in your fight for data security. Cyber security awareness among employees will not only help reduce mistakes, but also help detect both malicious and inadvertent data breaches quicker.
- Create a strong cyber security policy
A written cyber security policy is a strong formal set of rules that your employees should be compelled to follow. It allows employees to know what exactly you expect from them and what the most important procedures are that they should follow. A written policy reduces the number of mistakes due to misunderstandings and increases the effectiveness of security controls that are already in place.
- Monitor user actions to detect leaks and simplify investigations
User action monitoring is the best way to detect any data breaches that originate within your organization. Action monitoring solutions can issue alerts about unusual activity, allowing security personnel to quickly check for potential incidents. Tamper-proof session recordings can also be used to investigate incidents and clearly show whether a company security breach was caused by malicious actions or an inadvertent action.
Risk assessment is the key to an effective insider threat program
The cases described above should not be taken as a manual for implementing your own insider threat program. Rather, these examples show widespread cases and aim to give you ideas on how you can use fairly universal procedures and solutions to combat a variety of insider threats.
Measures such as employing access control and user action monitoring solutions, raising employee cyber security awareness, and having a clear, written cyber security policy to follow are what will help you fight any type of insider threat and what should serve as the basis for your insider threat program.
However, the choice of how to implement these measures most effectively and what other controls to add depends on your current situation and threats your data actually faces.
The bottom line is that a thorough risk assessment is the key to any successful insider threat program and should serve as the basis for your security strategy going forward.
How Ekran System can help you fight insider threats
User action monitoring is one of the key tools for preventing, detecting, and investigating insider threats.
Ekran System is an affordable and feature-rich user action monitoring solution that you can use to establish an effective insider threat program to protect your data and prove compliance.
Ekran System functionality includes:
User action monitoring features
- Full video recordings of everything users see on their screens in a special indexed format
- Full metadata recording, including keystrokes, names of active windows, opened applications, visited websites, entered Linux commands, etc.
- Easily searchable records
- Tamper-proof audit trail
Access control features
- Two-factor authentication
- Secondary authentication to distinguish among users of shared accounts
- One-time password feature with manual approval of credentials
- Set of predefined alerts covering the most widespread cases of insider attacks
- Fully customizable alerts
- Ability to view live sessions and manually block users if necessary
- Integration with Active Directory, SIEM, and ticketing systems
- Support for a free database
- Easy deployment and maintenance, including automatic agent updates
- Flexible licensing scheme
- Floating licensing optimized for virtual environments
- Protected monitoring agent