Insider Threats: An Underestimated Risk
What is an insider threat? Security professionals know that insider threats, by their nature, are a broad-based threat and, more than ever before, can be extremely difficult to defend against. In this article, we will briefly discuss the possible risks, as well as some options for building up your defenses.
There are a range of possible motivations for insiders to hurt an organization, including greed, anger, and many more. Similarly, there are many possible methods by which an insider can damage or threaten an organization. Theft of property or information, or physical or electronic damage are all possible and different detection and defensive measures are indicated for each, tailored to the business that the organization is in. To be of most general use, we will focus mostly on cybersecurity issues, which apply to most organizations.
One area that is of particular importance today is the challenge of protecting confidential materials and data, and how important it is for innovative organizations to prevent the theft or alteration of intellectual property. Intellectual property can be stolen by an employee which can be sold to a competitor or foreign government, transmitted to a competitor in return for new employment, or even used to start their own company. A real-world example of this is the lawsuit between Cadence and Avanti, two semiconductor companies that had a six-year long court battle because of allegations that an insider stole confidential software code from Cadence, which was then used to found Avanti.
Working to prevent insider cyber threats involves careful monitoring of the company’s network, seeing what information has been downloaded and determining whether information has been downloaded to external sites. The trick is to strike the right balance of monitoring and privacy to sustain some level of employee confidentiality. Usually, a clear policy of network monitoring helps alleviate any concerns; without such a policy, employees can react badly if they discover they are “being spied on”. And, there may even be some applicable parts of the GDPR and other regulations that limit the employer’s ability to monitor employees. But at the same time, the business should control its risks and limit the damages it would suffer from the insider threats as much as possible.
One of the best ways to defend against insider threats is to ensure that critical data has a chain of custody. This can be accomplished using an automated verification solution that monitors the storage and retrieval processes for anomalies and triggers alerts when unexpected or unauthorized operations are attempted. Implementing this kind of system would apply to critical customer data, design and business information and even to stored video surveillance footage.
For example, insiders that are planning thefts, vandalism, or other unwanted behaviors would be aware of video surveillance cameras and could also know where the video surveillance data is stored. Doing some malicious file deletions, including the footage that would otherwise incriminate them, would be a good way to help cover their tracks. Most organizations would not be aware that something like this was happening, unless they were using an automated verification solution. Automated verification solutions are really needed to make sure the chain of custody is maintained, and the evidence is valid. By virtue of having an automated verification system that is analyzing, checking and watching for anomalies, an organization will be on top of potential threats to the security environment. If that system has the capability, it can also monitor who is on the network, who has authorization for what operations and who did what and when. From the forensic angle, it's a powerful ability to do ongoing, automated continuous anomaly detection.
One more powerful tool for battling insider threats is to decrease the chances of account misuse – that is, someone ‘borrowing’ the login information of a person with higher network authorities. This can be straightforwardly minimized by implementing two-factor authentication, particularly when one of the authentication methods is based on biometrics.
Whether their objective is tied to greed, sabotage or espionage, insiders can cause enormous damage to all types of organizations. With sensible protective measures in place, much of the potential for cyber damage can be reduced. Don’t wait until an incident occurs – encourage your IT and security management to cooperate and take proactive steps.