Insider Threat, how do you deal with it ?
IndiGo and SpiceJet, the budget airlines, are again in the news. InterGlobe, that runs IndiGo, has accused its former employee of stealing financial and price-sensitive information to deploy and use it in their position with SpiceJet, a competitor of IndiGo. This person quit IndiGo and directly joined SpiceJet in September 2015.
After the person resigned, InterGlobe alleged that a routine internal security audit revealed that this person fraudulently accessed the company network and copied a large number of confidential files onto removable data storage devices without consent.
While IndiGo, SpiceJet take battle to cyber crime unit, the question that arises is - How could businesses avoid inside threats? Before we answer this question let’s take a look at what insider threat is all about.
What is Insider Threat?
An insider threat occurs when a current or former employee, contractor or business partner, who has or had authorized access to an organization’s network systems, data or premises, uses that access to compromise the confidentiality, integrity or availability of the organization’s network systems, data or premises, whether unwittingly or wittingly. Insider threats can include fraud, theft of intellectual property (IP) or trade secrets, unauthorized trading, espionage, terrorism, and IT infrastructure sabotage.
While inside threat is mostly intentional, in some occasions it is 'without intent' or ‘accidental’. With advances in technology and Internet connectivity, there is new threat starting to stare at your face - called the Cyber Insider Threat, which is a Non-Malicious Insider. When it comes to cyber threats, countless data breach reports and incidents have shown that most of the problems are the result of the Insider behind the keyboard. This person is Ignorant, impatient and gullible. They fall prey to social engineering tactics and phishing e-mails used by cyber criminals. Insiders tend to be too trusting and that introduces significant security risks to businesses.
Measurable Damage From Data Breaches
A 2017 report that was released from Cisco concerning damages from data breaches provides insights based on threat intelligence gathered by Cisco's security experts, combined with input from nearly 3,000 Chief Security Officers (CSOs) and other security operations leaders from businesses in 13 countries.
According to the report, organizations that suffered a breach, the effect was substantial: 22% of breached organizations lost customers, 40% of them lost more than a fifth of their customer base, 29% lost revenue, with 38% of that group losing more than a fifth of their revenue, and 23% of breached organizations lost business opportunities, with 42% of them losing more than a fifth of such opportunities.
Some examples of Data Breaches
(A) DC Metro Transit Cop Appears In Court for Allegedly Trying to Assist ISIS - August 3, 2016 http://abcnews.go.com/US/dc-metro-transit-cop-appears-court-allegedly-assist/story?id=41089376
(B) Fatal Descent Of Germanwings Plane Was ‘Deliberate,’ French Authorities Say - March 26, 2015 http://www.cbsnews.com/news/doctors-felt-germanwings-co-pilot-andreas-lubitz-unfit-to-fly-prosecutor-says/
(C) NSA Contractor Allegedly Stole 50 Terabytes Of Data Over 20 Years - October 20, 2016 https://www.washingtonpost.com/world/national-security/government-alleges-massive-theft-by-nsacontractor/2016/10/20/e021c380-96cc-11e6-bb29-bf2701dbe0a3_story.html
(D) Software Developer Outsourced Job To China Over VPN - January 16, 2013 https://www.theguardian.com/world/2013/jan/16/software-developer-outsources-own-job
(E) Tesla Sues Former Employee For Stealing 'Hundreds Of Gigabytes' of Data - January 27, 2017 http://www.pcmag.com/news/351365/tesla-sues-former-employee-for-stealing-hundreds-of-gigabyt
So what can businesses do about Insider Threats?
Although technology can play an important role in identifying potential insider threats, it is not just an IT issue. It takes an organization-wide approach that includes plan for, prevent, detect, respond to and recover from insider threats. Managing insider threat risk should be part of a holistic corporate security program, from both information security and physical security perspectives.
Make your employees the first line of defense
- Educate them on spotting suspicious behavior; and treat them fairly
- Set clear policies including defining what activities are permitted in your network and which ones are not
- Cyber Security Awareness and Insider Threat Awareness Training in many organizations are a once a year activity, or in some organizations non-existent. Make sure these trainings are regularly conducted
Pay attention to your employees behavior and threat indicators at work
- Are they working odd hours, late night, weekends? Do they remotely access servers, database, applications while on vacation?
- Are they attempting to bypass security controls?
- Look out for visible disgruntlement towards co-workers and employer
- Looks for patterns of frustration and disappointment
- Signs of vulnerability, such as drug or alcohol abuse, financial difficulties, gambling, illegal activities, poor mental health or hostile behavior, should trigger concern
Prioritize your Assets
- Concentrate monitoring resources where it matters
- Many companies have ‘BYOD’ policy. This is not a great practice and these devices must be monitored carefully
- Once a person leaves the organization make sure their machines/devices are formatted and all data cleaned up before the asset is handed over to another employee
Know and Monitor your Network
- Monitor the network continuously use tools that can identify trends in access pattern and flag such cases
- Baseline normal behaviors on network; look for anomalies
- Monitor social media activities of employees particularly the ones serving notice period and immediately after they have left
- Have they joined a competitor or ventured into a similar business?
- Separate duties for key functions. Not every employee needs access to every piece of data, so segment your networks and restrict privileges to ensure that employees can access only files and applications they need
- For example, your accounts department probably has no need to access project files and employees in one country may not be legally allowed to access customer data from another country
- You can also assign specific roles to employees with identity management or data-labeling tools. The larger the company, the more likely it will need all of these controls
- Try granting least privileges and put audit and control mechanism in place. Authorize users based on least access privilege and conduct periodic audits to detect inappropriately granted access or access that still exists from previous job roles/functions and should be removed