Insider Threats, a Cybercriminal Favorite, Not Easy to Mitigate

enfuse 2019

Rogue employees — not just external threat groups — pose a formidable threat to incident response teams.

LAS VEGAS – Insider threats are an ongoing top danger for companies — but when it comes to mitigation efforts, incident-response teams face an array of challenges.

Discussions with various incident-response teams revealed that between 25 to 30 percent of data breaches involved an external actor working with an internal person in an organization, according to Paul Shomo, senior security architect with OpenText.

“We used to focus on external threat actors, but now, when compromising the network, many have someone on the inside, whether it’s because they bribed them or blackmailed them,” Shomo said, speaking at ENFUSE 2019 on Tuesday in Las Vegas.

Insider threats continue to be a security thorn in companies’ sides: Just last week, the Department of Justice (DoJ) charged two former Twitter employees for allegedly accessing thousands of accounts on behalf of Saudi Arabia; also last week, Trend Micro said that a rogue employee sold the data of 68,000 customers to a malicious third party, who then used that data to target customers with scam calls.

Mitigation Challenges

Brian Coleman, director of forensic analysis and investigations at pharmaceutical giant Pfizer,  said at ENFUSE that he faces the insider threat challenge daily when managing Pfizer’s almost 250,000 endpoints to monitor suspicious network activity and root out any potential insider threats, he.

There are various methods of detection when it comes to insider threats, he said – including monitoring the log data of employees, and tracking if they download substantial amounts of data to external drives, any attempts to bypass security controls or access confidential data that is irrelevant to an employee’s role, and tracking employees who access data outside of normal working hours. In addition, emailing sensitive data to a personal account and excessive uses of printers and scanners are other indicators of insider threats.

Challenges are bubbling up when it comes to monitoring employees without violating privacy laws, said Coleman. With the increase of bring your own device (BYOD) policies, many companies walk a fine line in monitoring employees for insider threats – and balancing that surveillance with employee data privacy.

As an example, the General Data Protection Regulation (GDPR) does not explicitly change rules on employee monitoring, but the privacy law does include a number of provisions which will make monitoring more difficult for companies. Under GDPR, employers must seek out valid consent from employees when they monitor their devices, for instance.

“To comply with GDPR, there’s a delicate partnership in the privacy department where you need to understand that employees must also understand they’re being monitored,” said Coleman. “We have to monitor, but folks also have their own rights when it comes to monitoring.”

In addition, companies must navigate intentional malicious threats – for instance, a disgruntled employee who wants to destroy or steal data from his employer,  or an inside agent stealing data for the benefit of outsiders – versus unintentional threats – such as a careless worker who may misappropriate resources, mishandle data, open phishing emails or install unauthorized applications.

While both types of employees are detrimental to companies, different types of mitigation efforts are needed for each one. For instance, human resource-related efforts are a top priority when rooting out rogue employees — including  background checks, non-disclosure agreements and more — while training can help stomp out “unintentionally” malicious employees.

“When it comes to the human factor, there are two sides of the coin,” said Jason Sachowski, director of information security at Scotiabank, speaking at ENFUSE. “Humans are their own worst enemy. We see the ‘no do’ gap – when employees know what’s wrong and what they should do, but they don’t practice what they preach…We need to understand that humans most valuable asset. If you don’t have people, don’t have a security team.”

Insider Threats Here to Stay

Insider threats continue to plague companies. In fact, according to the Verizon Data Breach Investigations Report from this year, “privilege misuse and error by insiders” account for 30 percent of breaches.

In May, for instance, a report outlined how Snap employees were abusing their access to private user data – which includes location data, saved Snaps and phone numbers. And a report in 2018 found that Facebook had fired an employee who allegedly abused their access to data to stalk women.

“You have to assume the bad actors are already within your perimeter,” said Mark Barrenechea, OpenText CEO and CTO. “To protect against insiders you have to think about those who you trust and give information to.”

What are the top risks to modern enterprises in the peak era of data breaches? Find out: Join breach expert Chip Witt from SpyCloud and Threatpost senior editor Tara Seals, in our upcoming free Threatpost webinar, “Trends in Fortune 1000 Breach Exposure.” Click here to register.

Suggested articles