Strategies for a CISO to Prevent Insider ThreatsAnirban Banerjee
Insider threats are on the rise, and it’s still a large security flaw in most systems. It’s especially common in small businesses that grow to medium-sized enterprises where old employees are trusted and permissions across the network are globally loose. As a CISO, your responsibility is to rein in these security flaws and protect the enterprise from data loss and theft.
Before you think your organization is safe, studies show that insider threats are bad and getting worse. Many security administrators focus on outside threats, but the cost of insider threats and the damage it costs the organization is increasing.
Limiting permissions is one step, but it’s not a complete strategy. In order for the organization to follow the right procedures, managers and IT must know what is important and what is not. The process must be simple and can’t be cumbersome, or you might find employees disregarding important security standards. Here are some strategies that a CISO can put into place to help avoid insider threats.
1. Revoke Permissions When Users Change Positions
It’s especially common for long-term employees to move around the organization in different positions whether it’s management or different areas of responsibility. When an employee’s position changes, their level of access should change.
It’s common for users to change positions and maintain the same access they had in their previous position. Then, new permissions are granted for new responsibilities. Permissions accumulate, and the employee has too much access. Every change in management or position should have an IT review to assess permission requirements. Any permissions that are no longer needed for job functionality should be revoked.
2. All Permissions Should Be Given on a “Need to Know” Basis
This strategy ties in with the last one. It’s hard to determine what users need to know, because usually instructions for access come in the form of asking for all permissions across the application “just in case.” Users and even their managers tend to ask for full access to everything just to avoid any hassles that could be had in the future.
While there might be reasons in the future to give access on a per incident basis, permissions should be given on a “need to know” basis, which means that unless the restriction interferes with the user’s ability to do daily tasks, they should not have access to the system or files.
In addition to restricting permissions, the organization needs a low friction way to deal with rights and access. Permissions will be more efficiently handled if there is little overhead or hassles with permission management.
3. Get Organizational Managers Involved in Security
Security starts with managers. They can often control permissions to specific areas of the network, and they can help detect insider threats by monitoring employee activity. In many cases, users aren’t educated in the ways insider threats work or the red flags that something is amiss.
Educating users and managers can help collaborate efforts to fight insider threats. Managers can restrict access for groups of users, and team mates can be educated on the warnings that follow after data theft.
4. Swap Responsibilities Once in a While
There are several reasons employees are able to successfully steal data, and most of these threats continue for months before security teams are aware of the situation. One reason is that employees are given specific tasks, and they run these tasks freely without any other user viewing overseeing these tasks.
For instance, if an employee is the only one reviewing customer orders and credit card information, then any improprieties would go unnoticed. A common strategy is to rotate responsibilities among users. When multiple people take on responsibility across multiple systems, they can identify inconsistencies and report them.
Insider threats can still happen with rotation of responsibilities, but it reduces the amount of time it occurs. Essentially, you can reduce damage and catch inconsistencies early so that it does not persist for months.
5. Closely Watch Outside Access
Vendors and vendor access to your system can lead to insider threats. Although these vendors aren’t technically employees, they often have access to areas that contain sensitive data. Vendors can work onsite, but many times they are given VPN access. This access should be restricted, and you should closely monitor access and activity from outside users.
This type of monitoring usually involves third-party tools, but these tools should be able to send you alerts should inconsistencies in file access happen. In many of these cases, a vendor or remote employee is accidentally given access, and they are able to view private information that wasn’t intended for their access. You control this through authorization levels, but the right third-party tools help you detect access from outside employees or vendors.
6. Use Monitoring Systems for Sensitive Files
Insider threats are difficult to identify, because the users are “trusted” members of the network. It’s not like outsider threats where you block anyone and any traffic from accessing the internal network regardless of permissions.
For this reason, monitoring files and system access is important. These monitoring systems can gain statistics on file access and permissions and create a baseline for normal activity. They then discover irregular access patterns. Any irregular patterns can then send alerts to a security administrator.
7. Always Have an Audit Trail
Audit trails are necessary for certain regulations such as HIPAA and SOX. However, audit trails provide a good resource to prevent insider threats or reduce damages from current threats.
Audit trails can be created using third-party tools. The level of detail you get from third-party tools is different across each system. A good system provides you with details such as the user that access the file, time and date, and what activity occurred.
The length of time you keep audit trails should be determined. Some regulatory guidelines require that you keep audits for a specific amount of time should an investigation be needed going back several months. Some insider threats last months, so you could possibly need your audit trails for 8 months or more.
Audits should be real-time and data should be segregated. Data segregation helps security teams determine who has access to what and what country data is kept in. Third-party software should be in place to help with data forensics. Forensics tell you how an employee account used the data for a full audit review.
8. Disable Access Accounts Immediately after Resignation or Termination
It’s common especially in small companies to terminate employees immediately and leave the account active. This often happens when security standards are poor within the company. The manager terminates the employee but doesn’t notify IT that the employee’s account is no longer active. This can leave a huge, gaping security hole in the network.
Procedures should be in place that alert IT of employee terminations so that the account can be removed before the employee leaves the building.
A checklist is also necessary to ensure that all areas of access are blocked. For instance, some developers use custom login procedures for applications accessible outside of the firewall. If this particular access is forgotten, the employee still has access to sensitive information and could potentially have access for months without any knowledge. It’s especially common with insider threat incidents that the external, terminated employee works with internal employees to steal data.
9. Allocate Resources for Security
Organizations tend to disregard security until it’s too late. They don’t pour money into security especially for insider threats because employees are seen as trusted resources. It’s this mistake that costs corporations millions after a significant data loss. It’s the CISO’s responsibility to work with the organization to allot the right amount of funds for security teams and systems. It’s a difficult task especially if the organization hasn’t suffered from any major security breach.
Funds should be allocated for security systems, monitoring systems, and the right teams to manage them. Organizations sometimes skimp on security and put it off for the next year. This disregard for security continues through the year even after company growth. It soon becomes an out-of-control issue as security is no longer up-to-date or relevant for the size of the organization.
As a CISO, it’s difficult to stress the importance of security to administration, but plenty of examples show the importance of it and the damage of insider threats in recent years.
The right strategies greatly decrease insider threats. It not only prevents them, but it can reduce damage of current threats. You can’t always detect every threat, but you can put the right tools in place to avoid months or year-long damage that comes when you don’t have the necessary alerts that detect suspicious behavior.
Before you think that many strategies are unnecessary, consider that these threats continue to increase especially as systems become more complex and Internet is widely available for all employees. All it takes is one successful insider to ruin an organization’s reputation and cost the company millions in clean-up efforts.
Also published on Medium.