What’s Stopping Your Organization from Preventing Insider Threats?James Evans
The internal threat to your business is increasing: a recently survey by Vormetric found that 93% of questioned U.S. businesses considered themselves somewhat (or more) vulnerable to attack from inside[i].
But despite this threat, many businesses are struggling to put into place measures to protect themselves. A recent survey by the SANS Institute[ii] shed some light on this issue, finding that organizations faced a multitude of challenges that were preventing them maximizing their IT security.
The survey asked which factors did businesses believe were limiting their ability to either prevent or deter insider attacks:
Clearly, there is no definitive reasons why businesses are struggling to prevent insider attacks, but rather a range of reasons, with most businesses struggling in multiple areas.
How can businesses overcome these problems? Let’s take a look at a few general areas that significantly impact on some or all of these problem areas:
Establish the Business Case for IT Protection
You’ll notice from the statistics above that many of the areas are about a distinct lack of something: a lack of training, budget, staff, or technology. The reason so many businesses have these ‘lacks’ is because IT security is often underfunded and under-supported.
Whether its writing and implementing new policies and procedures, or hiring staff, all these actions take either time or money – and let’s face it, time is money. Without an appropriate amount of resources, it is no wonder that IT teams across the world are struggling to protect their businesses from the varied internal and external threats.
An Unintentional Neglect
Often this underfunding isn’t a conscious neglect, but one created by an incorrect understanding of both the benefits of investing in your security, and the potential problems that can occur when you repeatedly neglect to invest. If security has so far been secure, without any hugely disruptive breaches, it is likely that decision-makers will favor investing in marketing or sales above IT security – because everything seems to be going well already.
When you establish your business case for IT investment your main job must be to break away from the mindset that IT security requires an occasional investment and encourage decision-makers to see it as an ongoing cost.
Build Your Business Case
Justifying an increased budget can be difficult when security appears tight already, even if you know that you need more investment. But, in the long-run, security that prevents a problem is worth far more than security installed after a problem.
Luckily, you don’t need to suffer a major attack to build your business case – plenty of other businesses are already suffering! Instead, focus on educating decision-makers using industry statistics and case studies of other internal breaches.
For example, would data showing that insider threats were the most expensive to fix for companies help persuade decision-makers? Or that insider threats were costing businesses as much as $140,000 annually?[iii] These are compelling reasons to invest now.
Don’t Forget Who the Enemy Is
When you’re struggling to get the budget you need to protect your business it can sometimes seem that members of your own organization are your biggest problem, but it’s important to remember that you are on the same team. Even when decisions go against you it is vital that you keep good relations with other employees.
If your organization either cannot or will not give you the budget you need (and let’s face it, how many people actually get every bit of budget they ask for?), you must work to build your case for future budgets while doing the best with what you have. This will require compromise, teamwork, and some thinking outside of the box. See below for some alternative ways you can protect your business.
Start Where You Can
You might not have the time and budget to do everything you want – but then, who does? Many solutions are viable even on a smaller budget, and an improvement should be within reach. A lack of training is simultaneously the most mentioned roadblock and one of the easiest to break down.
Start by establishing your most at risk areas (often employees with access to the most sensitive data) and begin by investing in their training. By focusing on the most at risk employees and keeping the training laser-targeted to your biggest issues you can significantly improve security with even a small amount of training.
Consider Alternative Solutions
If you don’t have the budget for Plan A – try Plan B, sometimes it even ends out better! For example, you might have been hoping to roll-out a company-wide training process, but weren’t given the go ahead on budget. As a compromise you could train key individuals in certain teams to not only protect themselves, but to train and help others and spot prospective threats. These individuals become your eyes and ears on the ground; just having a few of these security-conscious individuals in high-risk teams can make a big difference.
Often a change in mindset is key: by moving from an in-house solution to a SaaS solution, businesses gain all the advantages of a bespoke system at a significantly lower price, benefiting from the huge economies of scale.
Onion ID is one popular SaaS solution; enabling businesses to:
- Protect Servers – Only allow employees to access your servers.
- Setup Access Policies – Manage risk by creating a range of policies allowing different levels of access for different employees.
- Get Visibility – Detailed reports on how your employees are using your systems makes it easier to create compliance reports.
Access policies and visibility are particularly important for preventing insider attacks. By preventing most employees from having (unneeded) access to the most secure data, you significantly reduce the chances of either a malicious or accidental breach of security. And by having high-level real-time visibility into your employee’s actions – what they’re accessing and how they’re doing so – you have a much better chance of catching problems before they start costing you money.
[i] Vormetric Data Security – 2015 Insider Threat Report – http://www.vormetric.com/campaigns/insiderthreat/2015/
[ii] SANS Institute – Insider Threats and the Need for Fast and Directed Response – https://www.sans.org/reading-room/whitepapers/analyst/insider-threats-fast-directed-response-35892
[iii] Digital Guardian – Findings from the 2015 Ponemon Institute Cost of Cybercrime Study: The Threats vs. Defenses Gap – https://digitalguardian.com/blog/findings-2015-ponemon-institute-cost-cybercrime-study-threats-vs-defenses-gap