Developing an Insider Threat Detection Program

If you were to just listen to the news, you would think that an organization only has to worry about hackers, malware, DDoS, and ransomware attacks. While the biggest threats are commonly from outside cyberattacks, these are not the only concerns a company faces. Companies need to recognize the other significant threat posed to an organization's critical assets: malicious and unmalicious insiders.

There are two main categories of insider threats:

Unintentional Threat

Unintentional internal threats can stem from several sources. The first may actually result from an external source; credentials of an internal user can be stolen and used for a foreign cyberattack. Examples of this occurred when Target and Home Depot were both breached. Third-party vendors or contractors tend to be overlooked when security measures are being implemented. This makes them great targets for attackers to initially penetrate a system and use the internal entrance as a way to expand their attack and laterally access the company system. The contractor or vendor can be unintentionally or unwillingly used to access sensitive data by means of trickery or coercion, so measures should always be taken to ensure this threat is prevented. A continuous authentication solution can be implemented to authenticate a user in the background every few seconds, without incurring any user interference.

Another unintentional insider threat can stem from unauthorized insiders as a result of password sharing. According to a Cyber-Ark survey, more than half of organizations admit to sharing passwords and accounts with one another when policy clearly indicates they shouldn’t. This may be initiated as a result of convenience—for example, when a user is covering for another and needs their login credentials for a system they don’t typically use.

The most obvious yet potentially the most dangerous insider threat is mere carelessness. Forgetting to log off a public terminal, using an unsecured wifi connection when working remotely, utilizing a mobile device others have access to in order to access sensitive information; these are amongst a few examples that can lead to serious security consequences. In March of 2016, the Feinstein Institute for Medical Research paid $3.9 million in a HIPAA settlement for a data breach that compromised the data of 13,000 patients. The cause of this critical breach was a stolen laptop, which had been taken from an employee’s car.

The resulting leaks or attacks don’t start as anything malicious, but the security threat resulting from the carelessness can still have serious repercussions.

Malicious Threat

These threats may be initiated by an employee or third-party vendor who intentionally accesses sensitive information with the intent to use it in an unauthorized manner. The malicious insider is the hardest to identify because the employees have already faced background checks and been granted access to information as a part of their employment. Why would a company have malicious insiders? Possibilities range from something as detailed and planned out as an attempt to pose as a willing employee to gain insider information to something as simple as a disgruntled employee who began as loyal to the firm and has since formed reason to retaliate against the organization. Whatever the motive, the insider who deliberately intends to cause harm to a company is probably the most dangerous threat of all, and the hardest to mitigate with security protocols.

When questioning if insider threats are still a prevalent concern, it is important to note that we are far from solving this problem.

What can be done to combat this issue? Training is a pertinent piece to ensure all employees are aware of the possible consequences of their actions. Whether intentional or unintentional, if strict security measures are put in place with severe consequences for specific security protocol breaches, this will create greater cognizance around the security of company data.

Companies should adopt NIST’s Framework for Improving Critical Infrastructure Cybersecurity, which outlines measures to include:

• Identify
• Protect
• Detect
• Respond
• Recover

Additionally, to safeguard from malicious attempts, many organizations are starting to implement network surveillance techniques in an attempt to detect and shut down the misuse of login credentials.

Whatever the initial source of an insider threat, all organizations should make it a best practice to go beyond education and training, and utilize software that can identify user trends and ensure no data is being compromised. While technology has come a long way, this threat is yet to be resolved.