Do cyber savvy employees pose a greater insider threat?
By Matt Lock, Director of Sales Engineers (UK) at Varonis
Discussion of cyber threats is often focused purely on technical issues, but it is an organisation’s employees that can, ultimately, define the strength of its security. Almost all cybercriminals begin their attacks by preying on their target’s workforce, usually seeking to trick them into sharing login credentials or other critical data via phishing emails. Many serious breaches are also either caused or exacerbated by pure human error, such as emails with confidential attachments being sent to the wrong recipient.
Accordingly, improving the level of cybersecurity awareness in the workforce has become one of the top security priorities today. Educating personnel about the threat posed by phishing attacks, as well as more rigorous training on best practices and policies for securing data and systems, can make all the difference in preventing or mitigating a serious incident.
while it is essential for organisations to establish a high level of security
savviness in the workforce, they could also, inadvertently, equip the small
minority of malicious insiders with the skills to better take advantage of
systems and evade detection.
The threat from within
From stealing sensitive data to sabotaging essential systems, rogue insiders can often pose as much of a threat as external attackers.
Whether they are trading information for financial gain or simply have an axe to grind with the company, an insider armed with a good understanding of security practices and a high level of clearance can cause as much harm as the most sophisticated cybercriminal.
The good news is that even the most well-informed and cautious malicious insiders will still have a difficult time erasing all evidence of their illicit activity, and there are several clues that can give them away.
What are the signs of
One of the clearest signs that someone is up to no good is a pattern of unusual file access. An employee habitually searching for, viewing or copying data that is not relevant to their job role, is very likely to be abusing their access for malicious ends. Even if they are simply being nosey, unauthorised file access can lead to serious security and privacy issues, particularly if confidential customer data is involved.
Similarly, a user account being used to print or save very large amounts of data externally could be a clear indication of data being exfiltrated to be sold to a third party. Cannier rogues may try to hide their activity by accessing files outside of normal hours, but this can actually present an event clearer indication of ill intent – if the company is able to track access activity. Unusual activity out of hours can also indicate that the account has been compromised by an external criminal.
Alongside the current workforce, companies should be aware of the potential risks posed by former employees, particularly those that have left on bad terms or have joined a rival company in the field. Organisations commonly overlook routine admin tasks, such as deleting old user accounts, leaving their former owners able to log back in using their old credentials. These ghost accounts are also the perfect channel for external attackers to gain access to valuable information.
Identifying malicious insiders
The risk of malicious insiders can be greatly mitigated by implementing strong controls around network access. Following a least-privilege approach to control permissions will ensure that all employees can only access files and systems that are relevant for their job role. This will help prevent any employee from freely perusing the network and accessing files that should be off-limits. Unfortunately, we have found this best practice is rarely followed, and our research indicates that 41 percent of companies have at least 1,000 sensitive files open to all employees.
Although strictly controlling access privilege will shut down the majority of opportunistic rogues, it will not prevent those malicious insiders who have a higher level of privilege and are able to access sensitive data within the normal boundaries of their role.
most dangerous individuals are those who
have a higher level of knowledge of how the company’s security processes work
as they will be better equipped to mask their activity and avoid raising red
They will use stealthy techniques to disguise their activity such as trying to
mark emails as unread after snooping through an executive’s inbox, or saving information
to a personal cloud drive or email, thinking that their company won’t notice.
To tackle the elevated threat posed by these well-informed insiders, organisations must also be able to monitor how users are accessing files. By watching and tracking employee activity, it is possible to build a highly accurate profile of what normal user activity looks like. Anything that falls outside of expected behaviour can be automatically flagged to the security team for additional security to determine if a cyber- savvy malicious insider is at work.
Continue the conversation regarding insider threats at Cyber Security X, Register your interest here.