Breaches caused by insiders are a fact of corporate life: among 874 breach incidents reported by companies to the Ponemon Institute, 568 were caused by employee or contractor negligence and 191 by malicious employees and criminals. When you couple this with a remote workforce that has grown by 115% since 2005, IT teams must now ensure they are listening for threats inside and outside of the office.
By 2020, approximately 40% of the average company’s total workforce is expected to be contingent workers. Contingent and remote workers are at unique risk of becoming an insider threat for two key reasons: they typically lack access to security policies and training provided to full-time and onsite employees, and they are more likely to be disengaged and less invested with their employer. Both reasons can given rise to a negligent or malicious insider.
To stop the insider threat before action results in data loss, leadership and IT personnel must be aware of the types of threat signals cross the entire workforce.
Threat types and their signals
“Insiders move along a continuum from idea to action. They get an idea, ruminate, and then begin testing the waters to see if they can execute the idea—maybe by trying to access sensitive data or a secure facility.”
When it comes to insiders intent on IT sabotage, the signals can be hard to identify. These insiders are technically competent users who have the access and ability to carry out an attack, and the capability to conceal their illicit activities. Identification is difficult as malicious behavior rarely looks any different than normal behavior. CERT research has identified predispositions that contribute to risk of IT sabotage, such as conflicts with fellow workers, bullying of fellow workers, and an inability to conform to rules.
The professional insider is a specific type of insider who is making a first – or second – career of launching cyber attacks for monetary gain. Intellectual property is a particular target for this type of insider. Researchers from the CERT program found that theft of IP is typically committed by scientists, engineers, or programmers. IP theft typically occurs within thirty days of the insider’s resignation.
Unmet expectations often result in insider threat actions. For example, a lack of salary or bonus action or being passed over for promotion could motivate an insider to act maliciously.
Mitigating and preventing the threat
The first step in insider threat protection is to identify your high-value data and invest resources to protect this data.
Threat mitigations must start before hire – and continue through the last day to ensure access is cut off. Background investigations to validate education and professional experience and check criminal history can help to ensure the trustworthiness of incoming employees. When an employee departs, you should have a robust offboarding checklist to ensure access is revoked across on-premise and cloud applications.
You need to listen to both offline and online behavior. Unexplained affluence and working odd hours may be indicators signaling an insider threat. This is where your HR team and your employees can play a critical role. Your HR department can assist with properly vetting candidates, listen for suspicious offline behavior, and respond to a security incident. Your security awareness education should include information to help employees recognize and easily report suspicious activities by a coworker.
Institute a policy of least privilege and regularly review access control lists to verify compliance. Consider the difference between protecting the data and seeing the data, as well. For example, your IT team may be charged with protecting intellectual property, but it’s unlikely they need to see the actual content.
Remote employee monitoring software should be a critical piece of your insider threat detection program. Website and application monitoring, keystroke logging, and file transfer tracking are features that can mitigate or prevent a data breach.
For additional help in detecting insider threat signals, take a look at these resources:
- Identify and Mitigate Against the Professional Insider Attack
- Protecting Intellectual Property Against Cyberattack
- When Insider Threats Come From Your Privileged User
- Combating the Insider Threat from NCCIC/US-CERT