Stopping Insider Threats Easily with PAMAnirban Banerjee
This past year has seen an increase in the number of insider threats that cause critical data leakage for large corporations. A recent Intel study showed that insider threats accounted for 43% of data breaches. Many security professionals monitor perimeter firewalls and beef up security where they are considered weak. However, what they often tend to miss are the insider threats that are increasingly problematic in today’s organization.
But You Need to Trust Your Employees, Right?
Small businesses run into a problem between trusting employees and security. They often wonder if monitoring employee access patterns are necessary. Large companies usually have some security in place regardless of how long an employee has been with the business. In fact, smaller companies are more susceptible to insider threats because of their loose security policies.
Another issue is that small businesses don’t have the resources to hire several people for one responsibility. They have one person with several privileges for almost any document, directory or sensitive resources. What this leads to is a huge risk if the employee decides to steal data. What makes insider risks even more critical is that the threat usually persists for several months before the employee is caught or leaves the organization.
Small businesses are torn between proper monitoring and trusting employees. In many cases, the problem isn’t even a malicious employee. It’s an accidental breach from a phishing attempt. Early this year, several hospitals were the victim of ransomware, a program that encrypts and hijacks user data that can’t be released until a high-priced ransom is paid.
What’s interesting about the attack is not the fact that some of the hospitals paid the ransom to get their files back. The interesting component in this attack is that the hospital had to pay the ransom because of an insider threat. This threat was not a malicious employee. In fact, it was one employee that opened a phishing email with an attachment. The attachment was a Word document with a malicious macro. The macro downloaded the ransomware to the employee’s local computer and then it spread to the network. Once the network was compromised, the ransomware was able to find critical documents, encrypt them, and then lock them for ransom. The hospital was forced to pay $17,000 to the hackers to obtain the decryption key. For a week, the hospital staff was forced to use pen and paper to process patient information.
The hospital incident is just one example of a successful insider threat that cost the company dearly. There are numerous others, and the trend is increasing. No longer are external threats commonplace for the organization. Insider threats are a growing concern and difficult to monitor.
So, What Can an Organization Do to Protect Itself?
One of the major mistakes an organization makes is to give full access to any employee. This includes access to sensitive data, customer information, or intellectual property. The organization should have a “need to know” privilege model. This means that each employee should only have access to resources needed to perform daily job functions – and no more.
“Privilege creep” is also common when an employee has been with the organization for a long time. It’s commonplace for IT management to add privileges as the employee moves around the company but not revoking privileges when they are no longer needed. This phenomenon is called privilege creep, and it increases the risk of insider threats. When an employee changes job functions, permissions should be revoked from resources no longer required.
What makes privilege management even more tedious is that auditing and certain authorization levels are required for certain industries. Organizations that process credit card payments must be PCI compliant. Healthcare industries are required to follow HIPAA and SOX requirements. Violation of these guidelines comes with hefty fines, but understanding what’s required is difficult for most managers.
Where human permission management fails, organizations have other options such as privilege account management (PAM) resources. PAM helps you monitor user access and behavior on a given resource such as an application, document or directory. It also provides you with the right resources that make your organization compliant with the regulatory bodies that oversee certain auditing requirements (HIPAA, PCI, SOX and others).
Newer organizations might find this style of monitoring disruptive to users. As a matter of fact, efficient PAM software runs in the background and doesn’t disrupt any of your users’ daily activities. It monitors resources to help IT resources figure out which applications and documents employees use most. The software’s algorithms can create a baseline for normal behavior. This baseline is then used to identify unusual, suspicious activity on certain resources. This could be from an insider threat where the employee intentionally accesses sensitive information without permission, or it can be from malware that intends to scan the network for important documents to then send to outside, third-party attackers.
Are Privilege Account Management Services Necessary?
While they aren’t a requirement, using PAM services greatly reduce the overhead for your IT personnel. Think of organizations with thousands of users. These users change positions, resign, and even return to the organization after several years. PAM services allow IT personnel to manage privileges on-the-fly and review behavior patterns without manually reading cumbersome logs.
The overall benefit is better security for private, sensitive data. Some companies go months without suspecting insider threat only to realize that a rogue employee or malware has been stealing data. This data could be sent to hackers or even competitors at a hefty price. With enough time, insider threats can mean that a majority of your intellectual property, customer information, or corporate documents could be sent to third parties. It’s imperative that organizations take action to stop these threats before they do damage.
The question is if you consider your current security sufficient to protect from insider threats. If the answer is “no” or “not sure,” then it’s time to place the proper system in place to avoid costly data leaks in the future. PAM software can stop insider threats within days instead of allowing the risk to perpetuate for months.