Today, organizations invest significant resources to harden their perimeters against exterior attacks. Unfortunately, many of these same companies invest far less to protect themselves against internal threats—individuals who have direct access to sensitive and proprietary information.
Given the amount of sensitive information your company has on its network and how easy it can be for someone inside your hardened perimeter to steal it, having an insider risk program should not be a question of “why” but “when.”
If you need more hard-hitting facts to convince you, consider this:
In the past, cases of “insiders” were primarily associated with foreign governments trying to steal our national security information. Today, organizations must also consider economic and industrial espionage. Many nation states facing economic crisis are actively (and aggressively) trying to steal information from U.S. businesses for their economic gain, and they are using your employees to do it.
Insider Attacks: What’s at Stake
Regardless of your company’s size or the industry you’re in, you likely have something to lose. Whether it’s customer information, credit card numbers, proprietary documents, trade secrets, etc., when information is stolen the repercussions are high.
- Damaged Brand Reputation. Imagine the impact on your company if one of your employees is charged with stealing customer information and selling it as part of an identity theft scheme.
- Loss of Revenue & Competitive Position. If a foreign competitor got hold of your IP or trade secrets and used that information to create and market a similar product to yours, how much will that harm your business?
- Issuance of Regulatory Penalties. If you’re in a highly-regulated industry, you might have fines assessed on your organization due to your lack of security.
- Disruption of Service/Operations. What if a disgruntled employee wipes out important data on your company servers or shuts down your supply chain systems? What type of impact would it have on your business?
- Employee Safety. When people think of insider threats, they don’t often think of physical violence as an issue. However, the behaviors that are common to insiders can manifest into workplace violence. If a violent outcome occurred at your business, what impact would it have on employee morale? Public opinion?
Who Are Your Insiders?
There are many definitions for an “insider.” A thought leader on security risks, asset exploitation, and workplace violence associated with insider threats, Dr. Michael Gelles, says: "An INSIDER is a person who possesses some combination of knowledge and access that distinguishes his or her relationship with the organization from those of outsiders."
Based on this definition, an insider for your company could be a contractor or business partner who has access to information, not just your employees. When we dive deeper into the types of insiders a company must look out for, we typically see three profiles.
1. Malicious Insider – Willfully Out to Cause Harm
When we think of “insiders” we most often think of Malicious Insiders. They might engage in fraud, espionage, IP theft, and even workplace violence. Their motivation may be financially driven or fueled by ego. In this case, an individual may feel a sense of entitlement for a project they worked on and feel they have the right to take that information with them. Or, they may have an allegiance to a foreign government or want to get revenge against the company or employees because they feel they have been wronged in some way.
2. Negligent Employee – Careless Actions Cause Harm
This is one many companies fail to notice. The Negligent Employee is the person who approaches his or her job carelessly and disregards the security protocols in place to protect the company. For example, they may keep their passwords on a sticky note under their keyboard or have sensitive documents in their briefcase which is stolen from their unlocked car. Whether due to negligence, taking shortcuts, or simply uninformed in security, these individuals cause some of the biggest headaches for CISOs. Ransomware, for example, often gets on company computers because of an employee’s careless browsing and download habits.
3. Exploited Employee – Deceived into Providing Information
This is another at risk employee that companies often overlook. Consider this scenario. The Exploited Employee goes to a conference and is targeted by an intelligence gatherer hired by a competitor. They engage in what they believe is a harmless conversation with someone they meet and then are skillfully guided to discuss their company and share information, such as an upcoming product launch, pending merger, or new marketing campaign.
How to Find the Bad Apple in a Cart of Good Apples
So how do you find the malicious, negligent, and exploited employee among your “good” employees? While monitoring an employee’s computer behavior is a critical part of an insider risk program, if you’re solely focused on that one area to protect your organization, you’re overlooking other, equally important aspects that indicate a “bad apple.” A truly holistic insider risk program should include all aspects of an employee’s behavior, both network, and non-network.
People don’t join a company and become an insider overnight. Events in their personal or professional life influence them over time and cause them to act. As they get closer to committing that act, they display certain behaviors or attitudes, called Potential Risk Indicators (PRIs). Network behaviors such as sending emails with attachments to personal email accounts and copying files to removable storage devices might not raise a red flag. But when these network activities are overlaid with non-network behaviors, such as excessive absenteeism, aggressive behavior, missed promotions, overseas travel that is not reported when required to or expressing an unusual interest in a project they’re not part of, a red flag should go up.
Leverage the Data You Already Have
Much of the non-network information you can use to strengthen your insider risk program already exists within your organization. But, if your organization is like most, that information is spread across the company and held in separate silos. Some information may be held by HR, some by IT, and some by your physical security office. Gathering this information can be challenging if you don’t have program buy-in from stakeholders across the organization. This includes HR, legal, IT, compliance, communications, security, and the investigative component of your organization if you have one. These department leads need to champion the program within their areas and work to eliminate the silos for sharing information.
So now you have the data. What’s next?
User Entity and Behavioral Analytics to Detect Insider Threats
Unfortunately, given the massive amounts of data available, it’s no longer possible for an analyst—even the best and brightest—to “dig” through the data fast enough to find connections and identify potential threats. Thankfully, new technologies that incorporate machine learning and advanced analytics can take massive amounts of information and apply the right security context to the connections.
For example, this type of technology enables you to gather information from an endpoint, web proxy, VPN, and a file share system and provide a clear picture of what an employee is doing in your system, and how that activity has changed over time. The result is faster detection of issues—from days to seconds—and better prioritization of which “red flags” to pursue.
See Arena ITI™ in Action
Don’t Wait to Be a Victim
Insider crimes are a very real and costly problem for companies—often more costly than high-profile cyber attacks. Unfortunately, building a successful, holistic insider risk program doesn’t happen overnight. It takes proper planning, executive buy-in, and the right people, process, and technology. Thankfully, there are companies like Leidos that can help you assess your existing risk profile, design, plan, and build a successful insider risk program, integrating cutting-edge technology that will keep you protected for the long haul.