More than 34% of companies around the globe suffer from insider threats every year, costing an average of $8.76 million to each company. Insider threat/ insider attack are cyber menaces, which originate from inside an organization. These threats come from employees, ex-employees, business contractors, or vendors with valid access to an organization’s internal networks. Any accidental or maliciously intended internal cyber activity can open gates for unauthorized access or exfiltration of critical information.
Insider attacks involve sources trusted by organizations to handle their data and can be challenging to detect and prevent. Nucleus Cyber report 2019 states that insider attacks occupy a significant portion of annual cyberattacks happening across the world. According to the report, 70% of global organizations are facing insider attacks frequently, with 60% experiencing at least one attack every 12 months.
What are the Sources of Insider Threat?
Below mentioned are the three major sources responsible for insider threat
1. Compromised Users:
Compromised users can be employees, business contractors, or vendors, unaware of falling into cyber attackers’ trap. These are the most common and important types of users, unknowingly responsible for a cyberattack.
2. Careless Users:
Careless users can be employees, leaving their systems or end-points unlocked or allow others to access them. Includes employees and vendors, who violate or do not follow, security best practices mandated by their organizations.
3. Malicious Users:
Malicious users/ malicious insiders, these are the intentional attackers with valid access to an organization’s data resources. Detecting malicious insiders can be difficult as a disgruntled employee can cover up their activity without suspicion.
Indicators of an Insider Attack
Proactive detection of suspicious insider activities can be possible with monitoring digital and behavioral elements, affecting an entity’s critical data.
Suspecting factors for digital and behavioral elements include:
- Downloading or accessing of substantial amounts of data
- Unauthorized access to unrelated critical data
- Multiple requests to access data, not related to job function
- Usage of unauthorized storage devices such as USB drives or floppy disks
- Network crawling and frequent requests for sensitive data
- Data hoarding and file copying from sensitive folders
- Attempts to bypass security (piggybacking/tailgating)
- Frequent visits to office during off-hours
- Displaying disgruntled behavior towards co-workers
- Violation of corporate policies
- Discussing about resigning from the current company or about new opportunities
Techniques to Defend against Insider Threats
Taking defensive measures against insider threat is more challenging than detecting them, as employees need access to their organization’s critical information to satisfy job responsibilities. However, organizations can implement a few mandatory guidelines to ensure better data security.
1. Restrict data access privileges according to job functions, roles, and responsibilities
2. Require authorization when a resource needs access to critical data
3. Regularly train employees on following security best practices and spread awareness about cyberattacks such as phishing and vishing
4. Data Loss Prevention (DLP) helps in restricting the transfer of sensitive data to outside an organization through emails. Enable DLP to block organization-specific data from going outside without authorization
5. Monitor network components using SIEM solutions to analyse NetFlow logs continuously. SIEM solutions help in the detection of any suspicious communication between internal and external IP addresses. Time-to-time network monitoring can eventually reduce malicious activities.
6. Run data discovery tool across employee systems to identify inadvertently stored critical information and take necessary action to secure such data.
As already mentioned, insider threats are difficult to detect and prevent. However, when an organization keeps its trust in securing data with the right security tools and educates employees about the importance of following security best policies and procedures, the world will become a secure place.
About the Author:
This blog was proposed and written by Mr. Naveen Kumar.K, working as a Security Analyst at SISA’s Synergistic-SOC.