What would you do if the biggest threat to your company’s cybersecurity is also your very best employee? Or your CEO? Or his kids?
What if it’s you?
Even the smallest of small businesses face the risk of insider threats. While the term has spy novel connotations, in the real world an insider threat is simply a threat that comes from people within or closely related to an organization.
Regardless of how or why the threat is introduced to your environment, the potential damage can be catastrophic. Take, for example, the story of the Georgia-Pacific sysadmin who was laid off in 2014. After he was terminated, his user credentials and VPN access were never revoked. Unhappy with being let go, the sysadmin logged on remotely and began causing trouble with the paper manufacturer’s operations at the Louisiana plant. For two weeks, he had his way with the factory and caused more than $1.1 million in damage due to work stoppages and waste.
An attack like this may seem cut and dried. You might even say that a terminated employee is technically an “outside threat.” You might even be right. But what about the internal threats that allowed him to do the damage in the first place?
The worst part of a situation like this is that there are multiple threats at play and all of them are internal. Why was a terminated employee able to retain his administrator credentials and VPN access? Was this a problem of training? A failure in policy? Both?
The gaps created in many day-to-day operations can introduce vulnerabilities just as easily as an unpatched server or a weak password. Yet there’s not always an easy report to run or an enterprise piece of software that can show you these gaps at a glance. So the vulnerabilities remain and can be exploited—intentionally or unintentionally.
Recent studies have revealed that insider threats, including those posed by workers making unintentional mistakes or failing to follow standard security protocols, are the cause of 60–75% of all workplace data breaches. Yet solving these threats can be even more difficult to catch, and stop, than an external attack. After all, insiders are supposed to be there. So what do you do?
Some common-sense best practices:
- Review your enterprise regularly and do risk assessments. It’s tough to protect comprehensively if you don’t have a good grasp of what needs protecting in the first place.
- Create a security awareness program. Yes, this includes mandatory training programs, and yes, employees will complain, but training and an ongoing awareness program allows employers to reinforce basic learning requirements and update them as threats change.
- Enforce a policy of least privilege and ensure separation of duties. For sysadmins, this means no more logging in to your local PC with the domain administrator account. It’s better to lock things down too tightly and loosen them up only after taking a critical look at what access a role really needs to do its job.
- Enforce complex password policies, turn on two-factor authentication, and ensure accounts and group roles are managed. Even today, account sharing, and a password of “password” are real things that get account information stolen and cause intentional or unintentional damage. Lock things down—and make sure to train your users on how to manage their personal information.
- Log, monitor, and audit employee online actions. No one likes to talk about monitoring, but even good employees can accidentally run malware. If you’re not monitoring, you’ll be cleaning up, and it will be sooner rather than later.
- Integrate HR and IT policies that govern system access and access rights. When an employee quits, regardless of why, it’s vital that an organization have the ability to quickly and easily disable the user’s access across the enterprise. And before enabling a user’s full access, make sure they’ve been through your security awareness training!
- Clearly document your threat controls. This one is hard. There never seems to be enough time to document your procedures. But the more time you take to understand your environment (see step 1), the easier this will be.
Any business, regardless of size, can benefit from following these simple steps. While tools like LanScope Cat can make enterprise endpoint management, asset inventories, and user monitoring easier, leaders in an organization still need to step up and create a culture that values and pursues excellence in internal security and controls. The more visibility you create, and the better you understand your own internal and external processes, the fewer surprises you’ll be faced with. When applied consistently and carefully, this additional discipline will add resilience to your operations and protect them against insider threats.