How to detect and defend against insider threats

Image Credit: Shutterstock
(Image credit: Image Credit: Andrea Danti / Shutterstock)

Insider threats are not the only security challenge faced by security and risk professionals. They do, however, persist as one that is troublesome. There are various reasons as to why this is the case and too many to elaborate on in a single article. It is generally agreed upon in the security community that insider threats persist due to a lack of understanding over exactly what an insider threat is, how it manifests and what basic steps can be taken to mitigate it. 

Annually, our insider threat analyst team performs assessments across our global customer base to produce our insider threat intelligence report, which is free and openly available to the security community. The report provides education about the different types of insider threats out there. It reveals some of the most high-risk insider threat trends and behaviours. Most importantly, it provides steps on how to reduce related risks.

Insider threats, who they are

This year, we identified three primary insider threats types.

The first were malicious users. These individuals use their access privileges to intentionally harm their organisations. They account for 23 per cent of the incidents we observed.

The next were negligent users. This group is comprised of people who do not intend to cause any harm. They end up placing their organisations at risk via mistakes, poor decisions and a lack of education and understanding regarding what smart security decisions are. They are responsible for 64 per cent of the incidents we identified.

Finally, we witnessed additional cases of compromised users. This group are those who have had credentials stolen or abused by nefarious sources. They account for 13 percent of the trends we spotted.

Image Credit: Shutterstock

Image Credit: Shutterstock

(Image credit: Shutterstock)

Since commencing with this annual report, we’ve witnessed changes in incident types. This year there were some dramatic shifts that are worthy of noting.

  • Data in the cloud - Ninety-eight per cent of assessments discovered sensitive and confidential information exposed and available online and in the cloud. Exposed data was found primarily in Dropbox, Google G Suite, and Microsoft Office 365. This was an increase of 20 per cent over 2018.
  • Insecure data transfer - One-hundred percent of assessments detected sensitive and confidential data transfers taking place via unencrypted and encrypted USB drives, personal email accounts, and cloud applications. This was an increase of 10 per cent over 2018, which looked at transfer via unencrypted USBs only.
  • Changing lanes - Ninety-seven per cent of assessments detected employees who were flight risks. This class of insider that often steals data or IP and acts with a decreasing sense of allegiance to the companies from where they’re departing. This was an increase of 59 per cent over 2018.
  • Sidestepping - Ninety-five per cent of assessments detected employees attempting to bypass or circumvent security controls via anonymous browsing, VPN and TOR usage. This was an increase of 35 per cent over 2018.
  • NSFW surfing - Seventy-six per cent of assessments detected employees engaged in high-risk internet surfing. This included visiting pornography, questionable gaming and gambling sites. This was an increase of 9 per cent over 2018.

There were more insider threat activities taking place than just these five. I’ve highlighted them here as they represent a cross section of incidents caused by the three types of insider threats we track — malicious, negligent and compromised. This grouping also shows areas where threats that frequently place data and systems at risk are on the rise.

Key takeaways

Just knowing what some of the more alarming trends are isn’t enough to reduce associated risks. Understanding how to address them is where the real security value is gained. In the case of each of these trends, there is a solid set of security best practices that can greatly reduce the chances of any of them showing up inside of organisations.

First, set enforceable and realistic security and compliance policies. All of the rules in the world will end up meaning nothing if employees, contractors and other third parties who have access to networks don’t follow them and if they can’t be enforced effectively. It may be very unrealistic to create a rule that forbids anyone from using a cloud sync-and-share drive. It is, however, far more likely that employees will follow security protocols if they are provided with the ability to use such productivity tools along with a set of user-friendly security guidelines.

Next — educate, educate, educate. Let’s face it, organisations may never be able to actually create an overall cybersecurity-conscious culture. Thinking “security” is typically reserved to those of us who are active or familiar with the profession. Companies can increase the likelihood of users adopting more secure habits if, at first, they know what those habits are and how to practice them. One of our clients, CIO Graeme Hackland of Williams Formula 1 Racing, is a major proponent of security education. He frequently holds “town hall” style meetings with employees to educate them on best practices. An approach he says works tremendously well.

Finally, understand behaviours. There are various ways of gaining insight and visibility of user behaviours and activities taking place within environments. Many solutions and techniques, in practice, do end up collecting a fair amount of data. Unfortunately, information collected and poured over frequently provides more false alarms than real actionable insights. To truly understand what activities all users are engaged in, programs need to give analysts the ability to quickly get to the heart of high-risk behaviors and determine who is behind them.

Katie Burnell, Insider Threat Specialist at Dtex Systems

  • We've also highlighted the best antivirus to help protect your business from the latest cyber threats