It’s a well-known statistical fact that in murder cases, the perpetrator is often someone the victim knew in person. The same goes for cyberattacks and data theft: according to IBM's 2019 X-Force Threat Intelligence Index Report, up to 60% of cyberattacks may be due to insider threats…
Given this remarkably high figure, it is not surprising that more than 50% (!) of the organizations surveyed for the latest CA report have had to deal with an inside cyberattack in the past 12 months.
Malicious intent (with or without)
Even though most companies are well aware of inside cybersecurity threats, they are often reluctant to dedicate the necessary resources and/or executive attention to solve the matter. This is due to the fact that it’s tempting to underinvest in combating cyber threats, as the solutions are often less tangible compared to those in other cyber areas. Furthermore, many companies feel embarrassed about insider threats – after all, it’s a discomforting idea that danger could come from your own staff – and are therefore inclined to minimise the problem.
Recent reports show that more than half of the inside threats are not caused by malicious employees, but rather by accident or negligence. On top of that, even malicious insiders do not always seek to harm the company. In many cases, they are simply motivated by self-interest.
Some best practices to reduce internal threats
Regardless whether an internal cyberattack is due to malicious intent or not, the following best practices can help to reduce the risks:
Research potential employees before you hire them. A background check doesn’t need to be complicated, nor expensive. A call to their previous employers, plus a basic Google and social media check can help you quickly spot ‘risky’ applicants.
Organize cybersecurity trainings and make attendance mandatory. Don’t forget to schedule training update sessions – at least annually –, to keep employees aware of changing technologies and threats. In other words: arm your employees and ensure they are an asset to your security, rather than a threat.
Be aware of suspicious changes in an employee’s behavior. If he or she starts wearing exclusive watches or jewellery, or starts staying late at work or walking in during the weekend, something fishy might be going on…
Install an employee monitoring solution to get a warning when a staff member, for instance, opens all the company’s client data within a few minutes or starts downloading large amounts of sensitive data.
Make sure your employees use unique complex passwords that are not shared with other accounts. Also limit the use of shared accounts.
And what about Identity and Access Management?
Even though the above explained tools and methods have indeed proven their value throughout the years, research shows that another ‘first line of defense’ security layer is needed in order to mitigate the risk for internal threats to a level that is acceptable for most companies and organizations.
This extra security layer – which relies on IAM and Identity Analytics – intervenes at high-level, in the sense that access to sensitive company data gets strictly regulated and controlled. This way, the internal threats potential gets severely limited from the start, as staff members only get access to the data they need.
The ‘least privilege’ approach
Many companies use the ‘least privilege’ approach as a basic principle within their Identity and Access Management strategy. And rightfully so, because the fewer privileged staff members in the company, the easier it is to protect your data. Limiting the number of privileged users means that fewer staff members can cause internal threats. It also means there are fewer sensitive accounts that can be hacked from outside.
It’s advisable to use the same approach for third parties that need access to your data. Limit their privileges as much as possible and make sure their credentials are terminated when the project they are working on is finished.
Defense in Depth
To make sure that you are protected as best as possible against internal threats, it’s highly recommended to maintain a ‘Defense in Depth’ (DiD) approach. This means that a series of different defensive mechanisms are layered to make sure that your data is still protected, even if one of the mechanisms should fail. A well-designed, redundant multi-layered defense system – including monitoring software and smart identity analytics tools –will greatly improve the security of your system and covers may different attack vectors.
While businesses take cyber security more and more seriously, it is clear that there are still things that are often overlooked. When forming a security strategy, companies should take in account all possible threats, both from the outside and the inside. On top of that it is important to not only look at security threats as attacks with malicious intent, but also as unlucky accidents that could happen. Taking this into consideration when forming a multi-layered defense strategy could make a huge difference for your company.
Elimity designs sophisticated - yet easy to use - identity analytics software which helps you to significantly reduce the risk of an internal threat and make sure you remain compliant with local and international laws. You can find more information about our software here.