- Disable former employees’ accounts
- Document policies
- Use the principle of least privilege
- Restrict data transfer
- Maintain visibility
- Keep logs
- Enable session timeout
- Segment your network
- Conduct background checks before hiring
- Train employees
- Outsource if necessary
- Perform risk assessments
- Implement physical security
- Watch for signs
While many organizations assume that their biggest risks involve some hooded, faceless hacker in a remote location, the biggest cybersecurity threats often come from within. Current and former employees, vendors, contractors, and partners can leverage existing knowledge and access to utterly decimate a business. An effective insider threat program helps protect sensitive data, prevent unauthorized access, and reduce the risk of a data breach.
What are insider security threats?
Insider security threats may be malicious or nonmalicious — but no matter the intent, they can hurt your business. Here are three types of insider security threats:
Turncloak: A malicious insider with valid credentials abuses their legitimate access with malicious intent.
Imposter: An outsider uses an insider’s credentials to pose as a legitimate user.
Pawn: An unsuspecting employee inadvertently aids an attack by performing a desired action, such as succumbing to a social engineering attempt or downloading malware. The user may have behaved recklessly, but this is considered a nonmalicious insider threat.
Regardless of the attack classification, you should know how to protect your business. We’ll share some of the top security controls for insider threat management.
Disable former employees’ accounts
When an employee leaves your company, deactivate their account as soon as possible. If an employee seems disgruntled, you’ll probably be eager to disable their account before they even pack up their overwatered office houseplant. However, even employees with whom you part ways on good terms could misuse lingering access to steal clients or access other information. It’s safer just to make a clean break and get all former employees out of your systems as soon as possible.
Your security policy should detail guidelines and procedures to prevent misuse and investigate potential insider threat incidents. In addition, it should spell out the consequences of improper actions to provide a clear roadmap of how you’ll proceed (and hopefully deter employee misbehavior).
Your password policy should call for hard-to-crack credentials, ideally with multifactor authentication. This can reduce the risk of imposter insider threats. Beyond that, don’t skimp on your policies related to data protection, incident response, third-party access, user monitoring, or account management. After all, comprehensive IT policies are the main thing separating us from the other great apes.
Use the principle of least privilege
The principle of least privilege (PoLP) is one of the simplest yet most essential information security concepts. Simply put, users only need enough access to complete required tasks. You don’t need your customer service team digging into your HR records or your marketing folks doing a deep dive into your accounting.
While the idea of PoLP is straightforward, applying it is slightly more challenging. You can use role-based controls with Group Policy to restrict a user’s authorized access to the information they need to do their job. In addition, employees with administrator roles should have separate accounts for their nonadministrative tasks for a clearer separation of duties.
A privileged access management (PAM) solution simplifies access monitoring for privileged accounts and critical assets.
Restrict data transfer
Data security is paramount, so you must protect data through its full lifecycle. Restricting data transfer helps guard against potential corruption and theft. Policies should govern what information employees can and can’t share. Software can help you enforce these policies and scan outgoing email text for possible violations. Sensitive information, such as intellectual property and trade secrets, should never be shared with external emails or USB drives.
Use a data loss prevention (DLP) system to enforce your rules for classifying and protecting data. DLP software also alerts you of violations so that you can investigate incidents further.
Insider threat detection requires understanding normal user behavior so that you can spot suspicious activity more easily. Equipping your security team with robust data and analytics gives them a clear window into your environment so that they can investigate anything suspicious.
If your business requires the utmost security, you might implement keystroke loggers or an extensive camera system to monitor potential misuse. But be careful: Implementing extreme measures unnecessarily can seem offputtingly dystopian to employees.
If you’re looking for tools to improve your visibility, there’s no shortage of options. Get insights from user behavior analytics (UBA) technology, log management solutions, log correlation engines, security information and event management systems (SIEMs), and change auditing software.
Even with the best preventative measures, you might experience an insider attack. And if that happens, your logs will become your new best friends. With extensive logs (and maybe some mailbox journaling), you can retrace the insider’s steps to clarify what happened.
As a bonus, when you spot a potential insider threat, you can go through the user’s previous actions to see if their behavior has been suspicious in the past. A one-time incident may be an accident or coincidence, but a long-term pattern probably points to a more severe problem.
Enable session timeout
It would be nice if every user locked their computer when they stepped away for their morning gossip sesh, but we all know that’s not going to happen. That’s why you should configure sessions to time out if the user is away from their computer for an extended period. The longer the session remains active while they’re away, the more opportunity for another employee to impersonate that user.
Segment your network
Portion your network into smaller networks to ensure critical data and applications are available to those who need them and no one else. Flat networks are susceptible to lateral movement, giving a malicious insider widespread access.
Conduct background checks before hiring
Screening potential employees can help you prevent internal threats before they occur. Everyone has a past. While a summer spent following Celine Dion on tour may be mildly disconcerting, a storied background in con artistry or anger-related offenses is a huge red flag.
Standard background checks usually verify identity, employment, education, credit history, and any criminal record. For more comprehensive insight, consider non-obvious relationship awareness (NORA) software that mines data to uncover less readily apparent conclusions.
Since users are responsible for an awful lot of cybersecurity incidents, every business needs security awareness training, which can also address multiple aspects of insider threats. Understanding social engineering, malware, and other common threat tactics can equip users to prevent imposter and pawn insider attacks. Insider threat awareness training can also encourage employees to recognize and report suspicious actions of coworkers that may indicate a turncloak attack.
Outsource if necessary
If you don’t have the resources to oversee thorough security measures in house, outsourcing to an IT security company is a convenient solution. A third-party service may also be better equipped to look impartially at the actions of all users, including those with administrator roles.
Perform risk assessments
Know where assets reside, who needs to access them, and their potential vulnerability to insider risk. Using the information acquired from cybersecurity tests, prioritize your risks and continue to enhance your posture accordingly.
Implement physical security
Strong physical security can deter both internal and external threats. Limit physical access to critical infrastructure to those who truly need it. This is particularly important for high-value systems that your company relies on for everyday operations. Key cards alone may not be enough since someone could swipe or borrow one from another employee. Two-factor authentication (potentially including biometrics) is a better solution. Gotta keep that server room safe at all costs!
Beyond that, don’t neglect your discards. Properly dispose of old hardware and documents to thwart any nefarious dumpster divers. Thoroughly erase data, and then recycle the hardware.
Watch for signs
You can’t predict every insider threat incident, but you can definitely see some coming. The following signs may hint that an employee is planning an insider attack.
Behaving unusually (disagreeing more than usual, unexpected financial gain, etc.)
Sidestepping security measures
Downloading large amounts of data
Accessing data that isn’t related to their position
Attempting to use unauthorized applications
Using their own storage devices
PDQ Inventory gives you visibility into your systems, while Deploy keeps them up to date. Along with the insider threat mitigation methods discussed above, these two IT management powerhouses support a more secure environment. And soon, PDQ Connect will officially join the bunch to enhance your remote Windows device management.
While these tools won’t prevent a scorned employee from stealing all the good pens from the supply cabinet, they can at least help keep your systems running smoothly.
Part writer, part sysadmin fangirl, Meredith gets her kicks diving into the depths of IT lore. When she's not spending quality time behind a computer screen, she's probably curled up under a blanket, silently contemplating the efficacy of napping.