Insider Threats and Their ImportanceAnirban Banerjee
How Insider Threats Emerge
The most common instance of an insider threat is that of a negligent employee, committing a genuine error with unintended consequences. Although your staff may possess the highest of ethical standards, a system of checks (i.e. a security policy) must be implemented to avoid instances of data loss. The high role-ambiguity amongst technical players within startups can also pose a problem as these tech savvy actors tend to access areas of the infrastructure without the privileges to do so. Through the defining of roles and implementation of security policies most negligence can be avoided altogether.
The more obvious of insider threats, malicious employees, are the technical employees of an organization which have decided to cause damage to their firm’s resources as a means of retribution. While it is inherently difficult to point out potentially malicious employees, focusing on preventative measures is a much more effective procedure instead of evaluating developer activities post-occurrence. The easiest way for an organization to do this is to develop the system’s architecture in a way that limits an individual’s visibility; therefore, reducing their ability to do damage.
Many businesses rely upon data to operate, whether it’s a patient’s medical history or a client’s property assessment reports, the loss or distribution of this information can be catastrophic. The key to maintaining full control of this information lays with the system administrators in charge of client data. Typical service level agreements (SLAs) from data-centric companies should include how they intend of protecting client data. This step may seem trivial to many businesses; however, it remains a key part in the consideration of prospective business partners.
Detecting Insider Incidents
Once an organization has done its part to involve the proper procedurals to preventing as many threats as possible, the ability for admins to detect threats becomes equally as important. Without the ability to detect potential incidents, admins lose the ability to understand what sort of systems, namely data-based, may have been compromised. Internal audits are a fantastic start to increasing awareness, as frequent reviews provide a more complete overview of your system. Complete, 24/7 monitoring is a worthwhile expenditure for any business that relies upon its systems, yet seldom receives the funding necessary to be implemented effectively. Tools available to organizations for reducing their exposure include: Application Whitelisting, Inbound and Outbound proxies, User Activity Monitoring (UAM) among others. The use of these tools increase your organization’s ability to identify threats as they become relevant.
After creating a system of privileges to reduce the total number of individuals with the ability to access your organization’s data, the next logical step is integrating tools which allow for the analysis of data flow. By detecting anomalies in data transfer, an administrator may cease operations and evaluate if malicious data transfers are underway. Although typical infrastructures support a very minimal amount of employee data, a true concern may be voiced for client data.as it poses a major point of weakness for infiltration. The value of an organization’s database may be evaluated on a case by case basis; however, the same basic principles apply. The majority or total loss of a business’s’ database will be catastrophic to its operations.
Focusing on Insider Threats Pays Dividends
The last sort of assessment any team wants to deliver is that of post-incident damage. As many incidents go completely unnoticed, reducing the ability to assess the total damage and recovery needed after an event. Enabling key decision makers to accurately report on and assess their data increases the effectiveness of an incident response plan. By implementing both preventative and detection-based measures your organization reduces the likelihood of an insider incident and the negative implications associated with the loss or manipulation of data. Addressing insider threats is important to both your customers and employees. Demonstrating the need for funding in the area of insider threats is tough, especially to non-technical executives. This difficulty grows under the belief that their organization is immune to these sorts of attacks. Gathering support for focusing resources may be done so through the citation of past attacks other companies have experienced and how similar, theoretical, attacks would impact your operations.
The financial impact of an insider attack involves the costs associated with the repair of systems and recovery of data. The loss of current and future business after an attack should also be considered when valuing the cost of preventative measures. By proactively spending on infrastructure security, an organization can avoid the expensive nature of basic insider threats, reducing infrastructure costs as whole. Evaluating the cost of a potential insider threat is impractical, as numerous types of threats lend themselves to an unlimited amount of damage.
List as necessary across your blog/ formal copies
Bunn, C. (2014, February 20). The Insider Threat Manifesto – Enterprise Network Security Blog from ISDecisions. Retrieved May 04, 2016, from http://www.isdecisions.com/blog/company-news/the-insider-threat-manifesto/
Cole, E. (2015, April). Insider Threats and the Need for Fast and Directed Response.
Lee, R. (2016, February). The Who, What, Where, When, Why and How of Effective Threat Hunting. Retrieved from https://www.sans.org/reading-room/whitepapers/analyst/who-what-where-when-effective-threat-hunting-36785
The Cost of an Unintentional Insider Threat. Retrieved April 26, 2016, from http://accudatasystems.com/wp-content/uploads/2016/04/whitepaper_unintentional_insider_threat_cost_en.pdf
Thomas, K. (2015, September 09). The sad stats on state of cybersecurity: 70% attack go unchecked. Retrieved April 26, 2016, from http://www.welivesecurity.com/2015/09/09/cybercrime-growing-concern-americans/
Ullrich, J., PhD. (2016, April). 2016 State of Application Security: Skills, Configurations and Components. Retrieved from https://www.sans.org/reading-room/whitepapers/analyst/2016-state-application-security-skills-configurations-components-36917