A phrase like “insider threats” might make you think of epic stories of backstabbing and betrayal – perhaps of Saruman in Lord of the Rings or Fredo Corleon in The Godfather, or even of Peter Pettigrew in Harry Potter.
Of course, it’s not always as evil and as dramatic as all that. In fact, frequently, stories of insider threats are incredibly banal. At the same time, in the world of network security they represent a serious concern – as a prime source of vulnerability, representing a significant risk for every organization.
Most people associate breaches with an external source – i.e., involving malicious hackers on the outside who gain access and steal information. But consistently, insider misbehavior and error have caused as much (or more) damage as anyone on the outside. In fact, according to a recent survey from the Ponemon Institute, negligent insiders are actually the greatest threat.
Here are some of the reasons that insider threats can be such a big problem, and what you can do to mitigate the risk.
The concept of least privilege is a golden rule in security: each person on staff should receive access to the smallest number of resources required to do a job well. Limiting access to resources means mitigating the degree of vulnerability.
That means if you’re a secretary in a medical clinic, for example, you can see the patient’s contact information and financial details, but not their medical history. If you’re a doctor, you can see the medical details of patients in your field but not other fields.
The problems show up when privileged access is applied to a fast-growing, dynamic organization.
As employees shift roles or gain responsibilities, they obtain access to new resources without losing access to the resources they used in their initial roles. This situation is even more dangerous when it comes to disgruntled employees who leave an organization yet continue to enjoy network access.
With legacy systems, it generally requires manual tinkering to maintain a privileged access system that successfully meets each user’s needs. And this tends to be a task that gets neglected – opening the door to increased risk.
We all make mistakes, a point that’s strongly supported by data presented in the 2016 edition of the Verizon Data Breach Investigation Report, which put unintentional actions – responsible for over 11,000 security incidents – at the top of the report’s list of threats.
The danger of unintentional actions was illustrated by the story that broke last year about two employees of the Washington State Health Care Authority who exposed the health information of 91,000 Medicaid patient files – the result of an unfortunate exchange of files that involved no malicious intent.
In this context, it would be a crime not to at least raise the question of staff training. While certainly not foolproof, an excellent educational program within a company can help reduce both the number and the severity of the mistakes made by a team through carelessness.
Of course, it’s not always a question of negligence or even of poor judgement. According to cybersecurity expert Joseph Steinberg in this recent interview by the Digital Guardian, insiders are so problematic because they have easy access to sensitive information and may know how it is protected – so they can steal it with greater ease than people on the outside.
And as pointed out in an assessment of insider threats by Forbes, one of the many security issues with insider threats is that it’s generally harder – and takes longer – to uncover them.
A point to consider: while it’s not a fail safe approach, it’s worth having a fresh look at your screening process. Try to weed out potentially problematic employees before they are hired. According to this opinion piece on CSO, it’s important to review candidates in an extensive interview process that allows for more accurate evaluation.
IAM can be an effective tool against insider threats. By facilitating the development of clear IAM policies for access and data governance and ensuring compliance, an IAM can provide the tools to minimize potential damage caused by human beings.
For example, using a modern IAM platform, access is based on policies, using real-time information determined dynamically, reflecting current circumstances. This effectively eliminates access creep without requiring IT to update access privileges manually.
The new IAM platforms are contextual, meaning they are not just limited to who is accessing what, but also to how and what data is accessed. For example, an organization may opt to limit certain kinds of privileged access to people in the office, while allowing other resources to be used remotely.
As pointed out by Security Intelligence, an organization is at risk when it doesn’t have the right systems in place to protect information and secure identities. Recertification process and policies – and the technology that supports them – ensure that appropriate controls are in place, and allow you to prove compliance. And with GDPR (General Data Protection Regulation) looming on the horizon – it has a May 25, 2018 “start date” – the stakes are higher than ever. As pointed out in our recent post about GDPR, most companies need to start being more conscious of their data protection practices, as they can ill afford data breaches once these regulations kick in.
A platform such as PlainID ensures the establishment of policies, processes, and accountabilities for IAM functions. By maintaining the many security advantages of least-privilege access in an automated and updated fashion, and accurately managing entitlements, the kind of data to which each staff member is exposed is minimized without hurting business processes – and this provides the much-needed level of control that can mitigate your organization’s exposure to risk.