The security challenge of insider threats
Mon 10 October 2016 - 11:27 amSecurity | Tech
Australian businesses spend considerable time and money protecting themselves from external security threats, but it’s important to remember that there are also threats within.
While viruses, phishing and ransomware attacks are constantly top-of-mind when it comes to securing IT infrastructures, steps must also be taken to protect them from staff. Unfortunately, they can cause just as many problems as external criminals.
Insider security problems come in two types: those caused unintentionally and those perpetrated out of malicious intent. The first type is caused by staff who are unaware of the security implications of their activity and fail to recognise warning signs. The second type arises from a desire by an individual to cause damage or reap financial gain.
Both types of insider threats can be addressed by following a number of key security strategies. Used together, these can significantly reduce the likelihood an organisation will suffer disruption or loss.
A good first step to deploy is ongoing and thorough monitoring of all activity within your IT infrastructure. The management team needs to know who is accessing systems and data and what they are doing with it.
One method is to develop profiles of what typical activity looks like for certain groups of staff. Those in marketing are likely to use systems in a certain way while others in finance or engineering will have different behaviour patterns. Once these are understood, it becomes easier to spot anomalous behaviour. Why is that person in marketing suddenly accessing files on a finance department server? Why is an engineer sending large email attachments to an unknown external address?
In some cases, it may even be worth creating profiles at an individual level. Unusual activity can then be flagged and checked as required. It may sound a little Big Brother, but it could stop potentially costly malicious activity in its tracks.
All businesses should also have in place a comprehensive incident response plan in case an internal data breach does occur. It might be an employee passing confidential data to an external party or using it for their own financial gain.
The plan should include having clear agreements with staff so they know what will happen if they are caught stealing data or causing disruption to systems. Penalties could range from a caution to dismissal.
One common type of internal threat is the misuse of credentials to access systems and data that should be out of bounds. Often, this is achieved through the misuse of administrator-level credentials that provide open access across an entire IT infrastructure.
Such credentials should be carefully protected and only used for specific functions. Careful monitoring can then throw up flags if they are used in unexpected ways. Security can be enhanced by setting time limits on the validity of administrative credentials. After a set period, passwords automatically change and so any unauthorised users of the credentials will lose the access they may have been misusing.
Securing mobile devices
The potential for unintentional internal security threats caused by mobile devices is significant. With more corporate applications and data being accessed via smart phones, tablets and notebooks, keeping these devices secure at all times is critical.
Organisations should consider deploying tools that allow devices to be remotely wiped should they be lost or stolen. Files stored on the devices should also be encrypted by default.
If employees use their own devices in the workplace, clear guidelines must be put in place about what will happen to the data on them if the device goes missing. Some tools allow corporate data to be wiped while ensuring personal data remains.
Portable device considerations should also cover the humble USB storage key. These can be used to steal vast amounts of information or introduce viruses and other threats if brought in from outside. Tight guidelines on their usage are essential.
It’s also important to remember physical security when guarding against internal threats.
Building access systems should be regularly reviewed to ensure they work efficiently and access revoked from employees if they leave the organisation.
Acceptable use policies
In the end, a significant proportion of the internal security threat can be managed by having acceptable use policies in place. These will clearly spell out to all staff what can and can’t be done on the organisation’s IT systems. They should all be aware that their use of systems is being monitored and, should they be found to be involved in unauthorised activity, the organisation has the right to investigate.
By following these guidelines, you can allow your employees to have access to the resources they need to fulfil their roles while at the same time ensuring core systems and data remains secure.
About the author
Simon Howe is Director of Sales ANZ with security intelligence company LogRhythm.