Do cyber savvy employees pose a greater insider threat?
By Matt Lock, Director of Sales Engineers (UK) at
Varonis
Discussion
of cyber threats is often focused purely on technical issues, but it is an
organisation’s employees that can, ultimately, define the strength of its
security. Almost all cybercriminals begin their attacks by preying on their
target’s workforce, usually seeking to trick them into sharing login
credentials or other critical data via phishing emails. Many serious breaches
are also either caused or exacerbated by pure human error, such as emails with
confidential attachments being sent to the wrong recipient.
Accordingly,
improving the level of cybersecurity awareness in the workforce has become one
of the top security priorities today. Educating personnel about the threat
posed by phishing attacks, as well as more rigorous training on best practices
and policies for securing data and systems, can make all the difference in
preventing or mitigating a serious incident.
However,
while it is essential for organisations to establish a high level of security
savviness in the workforce, they could also, inadvertently, equip the small
minority of malicious insiders with the skills to better take advantage of
systems and evade detection.
The threat from within
From
stealing sensitive data to sabotaging essential systems, rogue insiders can
often pose as much of a threat as external attackers.
Whether
they are trading information for financial gain or simply have an axe to grind
with the company, an insider armed with a good understanding of security practices
and a high level of clearance can cause as much harm as the most sophisticated cybercriminal.
The good
news is that even the most well-informed and cautious malicious insiders will
still have a difficult time erasing all evidence of their illicit activity, and
there are several clues that can give them away.
What are the signs of
insider threats?
One
of the clearest signs that someone is up to no good is a pattern of unusual
file access. An employee habitually searching for, viewing or copying data that
is not relevant to their job role, is very likely to be abusing their access
for malicious ends. Even if they are simply being nosey, unauthorised file
access can lead to serious security and privacy issues, particularly if
confidential customer data is involved.
Similarly,
a user account being used to print or save very large amounts of data
externally could be a clear indication of data being exfiltrated to be sold to
a third party. Cannier rogues may try to hide their activity by accessing files
outside of normal hours, but this can actually present an event clearer
indication of ill intent – if the company is able to track access activity. Unusual
activity out of hours can also indicate that the account has been compromised
by an external criminal.
Alongside
the current workforce, companies should be aware of the potential risks posed
by former employees, particularly those that have left on bad terms or have
joined a rival company in the field. Organisations commonly overlook routine admin
tasks, such as deleting old user accounts, leaving their former owners able to
log back in using their old credentials. These ghost accounts are also the
perfect channel for external attackers to gain access to valuable information.
Identifying malicious
insiders
The
risk of malicious insiders can be greatly mitigated by implementing strong
controls around network access. Following a least-privilege approach to control
permissions will ensure that all employees can only access files and systems
that are relevant for their job role. This will help prevent any employee from
freely perusing the network and accessing files that should be off-limits. Unfortunately,
we have found this best practice is rarely followed, and our research indicates
that
41 percent of companies have at least 1,000 sensitive files open to all
employees.
Although strictly
controlling access privilege will shut down the majority of opportunistic rogues,
it will not prevent those malicious insiders who have a higher level of privilege
and are able to access sensitive data within the normal boundaries of their
role.
The
most dangerous individuals are those who
have a higher level of knowledge of how the company’s security processes work
as they will be better equipped to mask their activity and avoid raising red
flags.
They will use stealthy techniques to disguise their activity such as trying to
mark emails as unread after snooping through an executive’s inbox, or saving information
to a personal cloud drive or email, thinking that their company won’t notice.
To tackle
the elevated threat posed by these well-informed insiders, organisations must
also be able to monitor how users are accessing files. By watching and tracking employee activity, it is possible to build a highly
accurate profile of what normal user activity looks like. Anything that falls
outside of expected behaviour can be automatically flagged to the security team
for additional security to determine if a cyber- savvy malicious insider is at
work.
__________________________________________________________________________________
Continue the conversation regarding insider threats at Cyber Security
X, Register your interest here.
__________________________________________________________________________________