Media images depict the unknown ‘hooded’ bad actor in the dark room with many computer screens and we often forget about one the biggest risks organizations face – the insider.
The insider can be broken into two categories, 1) the accidental insider who is duped into releasing sensitive information and 2) the malicious insider who intentionally attempts to access sensitive information they should not have access to, then get some gain from it, be it revenge, or money or just knowledge about others they should not have.
Insider threats are harder to prevent and detect due to the nature of the person having to have access to the organizations network because the organization has given them the access they need to do their job.
This post will focus on the accidental insider. The most common cause of breaches due to accidental insiders are:
- Phishing attempts
- Weak passwords
- Unlocked devices
- Password sharing
- Unsecured WiFi
There are also multiple enabling risk factors:
- Users with excessive privileges
- Devices with unnecessary access to sensitive data
- Increasing complexity of technology
- Increasing amount of sensitive data
- Lack of employee training or awareness
What controls can we put in place when we look at both the causes and the enabling factors?
Use the NIST CSF model of identify what you have, protect it, detect if the protection breaks down, respond to the detection, recover from the incident. Which begs the question, do we know what sensitive our organization has? Do we know why the organization has it? Do we need it? Who has access to it? Why do they have access? What has access to it and why?
Next what protections do we have specific to insiders that need to have access to the sensitive data? Are we using encryption? Do we have DLP in place, and is it effective if we do? How about ‘four eyes’ types of controls – do we have process in place to make sure two people need to approve any mass movement of sensitive data or funds? Are a few things to think about. Have we trained our employees to be suspicious of unusual requests? Do we have a strong and enforced password policy and configuration management?
Who’s watching the store? For detection, do we have any monitoring and alerting to detect abnormal actions? Things like large file transfers, or someone accessing large amounts of data should raise red flags. Do we do vulnerability scans to look for things that may have default passwords or misconfigurations?
Once we get detect something suspicious, do we have a protocol to follow to investigate and perhaps even interrupt the accidental insider? Does our incident response include runbooks for this very type of accidental insider? Or are we just hoping if it happens we will figure out what to do then?
Finally, do we have recovery plans in place, that include possibly retraining the accidental insider? Does our cybersecurity insurance cover a data breach based on an accidental insider or is it excluded?
If we focus solely on the threat actors external to our organizations we may find ourselves caught by surprise during an accidental insider breach. We will discuss malicious insiders in a future post.