Insider Threat, How Do You Deal With It ?
IndiGo and SpiceJet, the budget airlines, are again in the news. InterGlobe, that runs IndiGo, has accused its former employee of stealing financial and price-sensitive information to deploy and use it in their position with SpiceJet, a competitor of IndiGo. This person quit IndiGo and directly joined SpiceJet in September 2015.
What is Insider Threat?
While inside threat is mostly intentional, in some occasions it is ‘without intent’ or ‘accidental’. With advances in technology and Internet connectivity, there is new threat starting to stare at your face – called the Cyber Insider Threat, which is a Non-Malicious Insider. When it comes to cyber threats, countless data breach reports and incidents have shown that most of the problems are the result of the Insider behind the keyboard. This person is Ignorant, impatient and gullible. They fall prey to social engineering tactics and phishing e-mails used by cyber criminals. Insiders tend to be too trusting and that introduces significant security risks to businesses.
Measurable Damage From Data Breaches
Some examples of Data Breaches
- DC Metro Transit Cop Appears In Court for Allegedly Trying to Assist ISIS – August 3, 2016
- Fatal Descent Of Germanwings Plane Was ‘Deliberate,’ French Authorities Say – March 26, 2015
- NSA Contractor Allegedly Stole 50 Terabytes Of Data Over 20 Years – October 20, 2016
- Software Developer Outsourced Job To China Over VPN – January 16, 2013
- Tesla Sues Former Employee For Stealing ‘Hundreds Of Gigabytes’ of Data – January 27, 2017
So what can businesses do about Insider Threats?
Make your employees the first line of defense
- Educate them on spotting suspicious behavior; and treat them fairly
- Set clear policies including defining what activities are permitted in your network and which ones are not
- Cyber Security Awareness and Insider Threat Awareness Training in many organizations are a once a year activity, or in some organizations non-existent. Make sure these trainings are regularly conducted
Pay attention to your employees behavior and threat indicators at work
- Are they working odd hours, late night, weekends? Do they remotely access servers, database, applications while on vacation?
- Are they attempting to bypass security controls?
- Look out for visible disgruntlement towards co-workers and employer
- Looks for patterns of frustration and disappointment
- Signs of vulnerability, such as drug or alcohol abuse, financial difficulties, gambling, illegal activities, poor mental health or hostile behavior, should trigger concern
Prioritize your Assets
- Concentrate monitoring resources where it matters
- Many companies have ‘BYOD’ policy. This is not a great practice and these devices must be monitored carefully
- Once a person leaves the organization make sure their machines/devices are formatted and all data cleaned up before the asset is handed over to another employee
Know and Monitor your Network
- Monitor the network continuously use tools that can identify trends in access pattern and flag such cases
- Baseline normal behaviors on network; look for anomalies
- Monitor social media activities of employees particularly the ones serving notice period and immediately after they have left
- Have they joined a competitor or ventured into a similar business?
- Separate duties for key functions. Not every employee needs access to every piece of data, so segment your networks and restrict privileges to ensure that employees can access only files and applications they need
- For example, your accounts department probably has no need to access project files and employees in one country may not be legally allowed to access customer data from another country
- You can also assign specific roles to employees with identity management or data-labeling tools. The larger the company, the more likely it will need all of these controls
- Try granting least privileges and put audit and control mechanism in place. Authorize users based on least access privilege and conduct periodic audits to detect inappropriately granted access or access that still exists from previous job roles/functions and should be removed
The bottom line is that the days are gone when the CXO’s could happily assume that someone is looking after their cyber security. If you are a business owner you will have to stay a step ahead and rely on various tools and processes to detect anomalies as early as possible before your data, assets or personnel is compromised. While developing a holistic insider threat program is necessary, your direct involvement is a must to a matter as serious as the inside threat. After all the future of your company could be at stake.