Cybersecurity Leaders on Insider Threat Awareness Month

September marks the third annual National Insider Threat Awareness Month, launched by various federal agencies to highlight the growing danger insider threats pose to national security.

Though the initiative has successfully increased awareness of the risks associated with insider threats, many organizations remain susceptible to attacks. In fact, 60% of organizations have more than 20 insider attack incidents a year, according to IBM. The cost related to these incidents was over $2.7 million in 2020, showing there is still much progress to be made in fortifying cybersecurity defenses.

Insider threats are a complex and multi-faceted problem, and while the topic most often comes up in the context of larger organizations, the general principles to prevent insider abuse are applicable to organizations of all sizes. A comprehensive security program that covers both preparedness and visibility is the foundation to successful early identification of looming insider issues.

Preparedness is about planning for the inevitable day that something happens, and it should cover everything from standard offboarding to establishing policies and procedures for a sabotage event like ransomware or electronic time bombs. Visibility is about having a line of sight to potential adverse actions. It starts with monitoring devices but expands to understanding what employees are doing and making sure they are trained on cybersecurity issues like phishing, which is still one of the main initial vectors of cyberattacks. 

To commemorate Insider Threat Awareness Month, I asked several other cybersecurity experts to discuss preventative actions that can be taken against insider threats.

Raffael Marty, SVP Cybersecurity Products, ConnectWise

“Insider threat is a complex and multi-faceted problem and while the topic most often comes up in the context of larger organizations, the general principles to prevent insider abuse are applicable to organizations of all scales. A comprehensive security program that covers both preparedness and visibility is the foundation to successful early identification of looming insider issues. Preparedness is about planning for the day that something happens and it should cover simple things like what the organization does when an employee leaves and goes all the way to establishing preparedness for a sabotage event like ransomware or electronic time bombs. Visibility is about having line of sight to potential adverse actions. It starts with monitoring devices, but expands to understanding what employees are doing and making sure they are trained on cybersecurity issues like phishing, which is still one of the main initial vectors of attacks.”

Dottie Schindlinger, executive director, Diligent Institute, Diligent MDO

“The global pandemic accelerated a massive shift toward remote work and added layers of complexity to the cybersecurity challenges that organizations face. In the blink of an eye, organizations transitioned entire workforces and operations to an at-home, remote model. Suddenly, collaboration tools and video conferencing were more vital than ever before, and IT support committed countless hours to make them secure, safe and less prone to disruption.  

Yet, with all the attention paid to securing collaboration tools and communication technologies, another security threat lurks that few organizations are prepared for: Insider threats.

Despite elevated levels of external risk, an organization’s greatest or most immediate cyber threat can come from within. Through unintentional missteps—often due to outdated security systems or software versions—company employees are often involved in major data breaches. These usually aren’t intentional, but rather the result of a lack of consistently applied best practices that lead to bad outcomes. Meanwhile, the same collaboration tools that have become vital for remote work can exacerbate the risk of internal leaks if access privileges and security protocols are not rigorously followed or enforced.

Given these risks, what should security look like for organizations? To be secure while still effective, a collaboration solution must ensure that confidential materials can only be viewed by the appropriate individuals. Sensitive communications should be conducted in a closed-loop environment that can be viewed only by the appropriate parties, even within the organization. Open communication tools—like Slack, texting and personal email—are great for informal communication, but they don’t often provide the level of security or access privileges needed for sensitive communications between executives, the board, legal, HR, risk and compliance teams, etc. They need secure environments and workflows that allow them to communicate highly sensitive information safely, without worrying that it might accidentally be misrouted, forwarded, leaked or even stolen. And, the system must be intuitive and convenient, so executives remain within its workflows and processes without straying to other systems and creating security gaps.

If these steps are taken, they go a long way toward mitigating insider threats. Organizational leadership can perform their roles effectively while protecting the organization not only from outside actors but from inadvertent breaches from within.”

Carl D’Halluin, CTO, Datadobi 

“Predicting exactly when an insider threat will occur is nearly impossible. However, promoting awareness of the chances of an insider incident can help enterprises prepare themselves properly and enhance their overall data management strategy.

A successful insider attack can create long-lasting downtime for an organization which impacts its revenue and reputation. Enterprises need to have a plan in place to protect themselves from the aftereffects that come with an insider threat. As organizations increasingly rely on unstructured data to perform day-to-day business-critical functions, they need to maintain prompt access to their data in the event of a disruption.

An effective way to avoid downtime in the event of an insider threat is creating a ‘golden copy’ of business-critical data. Enterprises should maintain a secure golden copy of unstructured data in an air-gapped physical or cloud-based location. Limiting access to a golden copy in addition to a traditional backup strategy decreases the chances of downtime either from an accidental human error or malicious insider threat.”

Steve Moore, chief security strategist, Exabeam

“As organizations remain remote or begin their transition to hybrid work models, the risk of insider threats is more present than ever. Therefore, enterprises must recognize the severity of this form of attack.

Legitimate users performing unwanted or dangerous activity always prove more difficult to detect than typical external threats. Though most insider threats are unintentional and typically occur by accident, the damage they cause can still impact business outcomes and stability.

To add complexity to this already difficult problem, there have been examples of criminal attackers who now offer a cut of the proceeds if an employee assists in deploying ransomware. How many disgruntled or underappreciated employees might consider this opportunity?

When irregular behavior is detected, it should be taken seriously as a possible attack. Various indicators of insider threats exist, and a crucial step in protecting against them is recognizing those signs and establishing a threshold of normal for employees. Unfortunately, most organizations lack the capability to accurately identify normal human and device behavior.

Proper training feedback loops, visibility and effective technology are the key to guarding against insider threats. In addition, using behavioral analytics that can track and analyze user and machine data is critical.

Behavioral analytics technology can identify threats lurking within an organization by determining whether certain behaviors are normal or are a potential cause for alarm. For example, has this employee from this department ever signed into this system before? Has anyone from their department? Unfortunately, finding the answer to these questions (and many more) during an incident can prove nearly impossible at worst and inconsistent at best without investing in the correct capabilities.

Different kinds of unusual activity that are typical signs of insider threats, such as large data uploads, credential abuse or unusual access patterns, can be detected by behavioral analytics. As a result, the technology can find these suspicious behaviors among often unknowingly compromised insiders well before cybercriminals can gain access to critical systems—significantly decreasing the chances of data compromise.”

Alex Pezold, CEO, TokenEx

“Although standard controls such as logging and tracking, identity and access management, and internal policies and training are all essential elements of a robust security strategy to address insider threats, none can prevent the exposure of sensitive data in the event of a breach. Therefore, data protection is also a critical component of this value chain. We’ve seen our customer base use tokenization to satisfy their needs for greater data protection while enabling their zero-trust principles more effectively. By using tokenization, companies can minimize risk by removing sensitive data from their environments so that it cannot be compromised if their internal systems are breached. So, even if a security control fails and allows a database to be accessed, only tokens will be available to the intruder while the original sensitive data is safely stored offsite.”

Neil Jones, cybersecurity evangelist, Egnyte 

“Responsible companies consistently update their cyberattack prevention plans and implement measures that protect them against falling victim to potential attacks. As vigilant as they might be, most organizations overlook an important contributor to cyberattacks: Insider threats. 

This is not surprising, because companies need to trust their employees in order to succeed. But with employee trust needs to come employer validation and monitoring of their users’ behavior. 

While not all insider threats are malicious, they can be even more devastating than external attacks. Critical contributors to insider threats are employee turnover, poor data governance controls and negligence. When employees resign, they can extract information from your files that could benefit them in their new jobs with competitors, or even worse, publicly embarrass your organization. That process is referred to as exfiltration. A good first step to prevent “data leakage” is to use a data governance platform that leverages machine learning, so that sensitive information is available only to the correct organizational users based on their business ‘need to know.’ 

Negligence can be combated with proper training and by limiting access to files across the company. There is no reason that someone in the finance department should have access to roadmapped product development plans without justifying their request with the product development team first. Limiting the spread of internal information will also enable your system to prioritize threats to your sensitive data. The best way to thwart a potential attack is by having a proactive approach in place that detects misuse before it’s too late.”

Surya Varanasi, CTO, StorCentric

“September 2021 marks the third year of National Insider Threat Awareness Month (NITAM), which, according to the NITAM website, aims to help prevent ‘exploitation of authorized access to cause harm to an organization or its resources.’ While the month focuses on U.S. national security, this issue is, of course, inextricably linked with organizational security as well. When enterprises think about ransomware attacks, the focus is often on guarding against external threats, of which there are many. Yet companies must remember and be prepared to defend against threats from inside their organization too.

Three words hold the key to achieving this: Protect, detect and recover. Given the prevailing stats, such as those from the Ponemon Institute, the likelihood of an insider threat existing and then leading to a successful data breach is high and growing rapidly. It is therefore critical that the recovery piece be firmly in place. Two highly critical best practices here relate to your data backups. Organizations must ensure they have unbreakable and immutable backups. The ideal solution(s) should include features like file fingerprinting, file redundancy, file serialization, secure timestamp and auto file repair, as well as the necessary capabilities to ensure regulatory compliance. And the admin keys should be stored in another location for added protection. Next, the solution should provide immutability and allow the user to lock backups for a predetermined period of time: An immutable retention period during which they cannot be deleted, moved or altered in any way.

Corporate defenses should be equal to the level of threat—which means assuming the worst and putting the best solution in place, particularly when it comes to ensuring recovery. By having impenetrable recovery solutions in place for internal threats as well as external ones, organizations can protect their most valuable data assets and ensure the longevity of their business.”

Danny Lopez, CEO, Glasswall

“It seems like every day there is a headline about another company falling victim to a cyberattack. What many companies fail to realize is that not all threats come from outside sources. In fact, insider threats have increased by 47% in the past two years. While it’s easier to assume it could never happen to your organization, taking responsibility for your security before an attack occurs is always the best option. 

Not all insider threats are malicious. In fact, many victims are completely unaware that their credentials were compromised in the first place. Employee training can be helpful in some cases, but it often overlooks the sophistication of cybercriminals and can create a fear-based culture where people are afraid to come forward if they’ve made a mistake. 

Your employees should not be your only line of defense against cyberattacks. Instead, your leadership teams should understand where your risk factors are and implement proactive technologies, such as content disarm and reconstruction (CDR), which can deliver instant protection. In the face of increasing risk and intricate attacks, there’s no better time to make cybersecurity a top priority.”