Protecting organisations from insider threats - Bitglass
The traditional focus of IT security has been on keeping out external threats, but the volume and frequency of security breaches caused by disgruntled, careless or negligent insiders has risen significantly in recent times.
Insider threats pose equally serious threats to organisational security.
The biggest challenge for most external threat actors is gaining access to a target organisation, but insider threats already have this.
As a result, nearly all traditional perimeter security defences are ineffective against them.
Usually, threatening insiders are authorised employees or contractors with valid credentials and physical access to an organisation's buildings, making it far more difficult for security personnel to protect against them.
Of course, not all insider threats are malicious.
Many are sparked by careless employees who click on harmful email links or attachments without knowing, use unsecured public Wi-Fi, or accidentally leave their laptops in a public place.
Regardless of users' intentions, any resulting data breach can damage an organisation financially and cause reputational harm.
Cloudy outlook
Evidence suggests that security incidents involving insider threats are on the rise.
In a recent survey by Bitglass, more than two-thirds (73%) of respondents said they believed insider attacks had become more frequent over the past year.
Additionally, 59% of respondents said their own organisations had experienced at least one insider attack in the past 12 months – compared to just 33% the year before.
When asked why they thought this was, the top five answers were:
1) Insiders have valid credentials (55%)
2) Increased use of unmanaged applications (44%)
3) Data being accessed off premises (44%)
4) More end-user devices susceptible to theft (39%)
5) Data storage moving to the cloud (36%)
Four of these five reasons relate to moving data off premises and into a growing number of mobile devices and cloud-based applications.
While the business benefits of such actions are becoming increasingly difficult to ignore, so are the associated security risks.
For instance, as more organisations adopt initiatives such as bring your own device (BYOD), it's becoming much harder for an organisation to ensure a secure data environment and/or spot compromised devices quickly.
As the popularity of the cloud multiplies, the traditional security perimeter has all but disappeared.
Maintaining data security in such an environment requires specialised tools, which many organisations have not adopted.
Some 41% of respondents said they didn't monitor for abnormal behaviour across their cloud footprints, while 19% did not know whether or not their organisations did.
As a result, only around half of respondents were confident they could detect an insider attack on the day it occurred.
14% said it would take them at least three months to do so, if at all.
What can organisations do?
The unpredictability of insider threats, combined with the complication of cloud environments, means that an integrated, layered solution offers the best defence for organisations.
Below are four core components of such a solution:
1) Data Loss Prevention (DLP): Properly integrated cloud DLP enables employees to work when and where they want, while keeping data secure. A good cloud DLP offering includes file encryption, redaction, watermarking/tracking and other tools to ensure that sensitive data remains protected at all times.
2) Access control and identity management: Dynamic identity management solutions that integrate with existing systems, manage user access and utilise multi-factor authentication are much more effective than basic password protection.
For example, if a system records an employee logging in from a country where they've never authenticated, it can alert IT personnel to suspicious behaviour, helping to secure the account before a breach takes place.
3) Automation: In cloud-based environments, automated security solutions are becoming increasingly essential – reactive solutions that rely on manual analysis are not fast enough. Fortunately, automated cloud solutions that employ machine learning can identify suspicious behaviour as it is taking place.
For example, if a user suddenly downloads unusually large amounts of data or logs in and accesses data outside normal working hours, these tools can use an analytical, real-time approach, uncovering anomalous behaviour and taking corrective action as needed.
4) Training: While technology can be a powerful way to improve an enterprise's security posture, another effective tool is far simpler. Regular employee training promotes secure business practices and helps to minimise the threat of data theft by reinforcing the severity and consequences of theft and misuse – whether or not those actions are intentional.
The growing adoption of remote working initiatives and cloud-based environments has greatly improved the agility and productivity of modern organisations.
It has also introduced new security issues. This is particularly true in the case of insider threats.
Many organisations are failing to adapt to these changes in the cybersecurity landscape.
Fortunately, taking the time to understand current risks and addressing them through a cloud-first security solution can allow an enterprise to enjoy the cloud's benefits while ensuring that its data is safe from insider threats.