Insider Threat Management – Is Your Data Safe? (Critical Tips)

Insider threat management is critical for protecting sensitive data against theft, misuse, and loss. The privileged access that insider threats have give them the ability to cause significant damages.

The 2020 Ponemon Institute Cost of Insider Threats report found that the average cost per insider incident rose from $8.76 million in 2018 to a staggering $11.5 million in 2020. In this article I will outline the core principles and technologies organizations use to protect sensitive data against insider threats.

What Are Insider Threats?

Negligent insider threats

Insider threats typically fall into one of two major categories: negligent and malicious. 

Negligent insiders make up 62% of the attacks reported in the Ponemon report. This type of insider threat can be further categorized into two subtypes: accidental and non-malicious. Accidental insiders unknowingly cause damage through genuine mistakes, whereas non-malicious insiders intentionally break company policies and procedures without malicious intent.   

Negligent insiders are employees that:

• Fall victim to phishing and social engineering attacks
• Non-maliciously break company policy to expedite processes
• Unintentionally share sensitive information with unauthorized recipients (misaddressed emails, oversharing during conversations, etc)
• Misplace printed documents and data storage devices that contain sensitive information

Malicious insider threats

Malicious insiders are a serious concern. They typically cause damage to the company through IP theft, sabotage, fraud, and espionage. The motivations of malicious insiders include disgruntled employees seeking to cause harm and employees seeking financial incentives from competitors or threat actors that are willing to pay for data. 

Malicious insiders are employees that:

• Sell company IP to competitors for monetary gain
• Steal PII from company databases and sell it to fraudsters on the internet
• Are disgruntled and seek to cause damage to their employer by deleting data, breaking equipment, or otherwise sabotaging business processes

Best Practices for Managing Insider Threat Risks

1) Policies & Procedures

Insider threat management is fundamentally a human problem. Policy development is crucial for establishing clear expectations for employees. Employees that are provided with clear guidance will be better prepared to handle sensitive data and systems appropriately.

Core policies and procedures:

• Credentials management. Procedures and expectations for protecting accounts from unauthorized use. Topics include password management, lockout policies for unattended workstations, and the company’s stance on account/credentials sharing.
• Acceptable use policy. Guidelines of expected user behavior on company networks. These policies often include disclosures of the technology used to monitor employees for high-risk behavior.
• Data protection policy. These policies provide insiders with clear behavioral and procedural expectations for accessing, storing, and using protected data.
• Employee offboarding. Employees that have resigned or have been fired present a high risk to sensitive data. Detailed IT and HR procedures need to be in place to decommission user privileges, closely monitor file transfers, and ensure that disgruntled employees do not become malicious insiders.

2) Insider Threat Management Training

Employees that are fully equipped to recognize and respond to insider threats are valuable assets for protecting sensitive data. Regular training ensures that employees are aware of the potential risks their actions can have. This mitigates the potential for non-malicious insiders to inadvertently put sensitive data at jeopardy with high-risk but well-intentioned behavior.

Critical insider threat training:

• Regular review of organizational policies and procedures
• Best practices against common insider threats such as phishing and social engineering
• Awareness of key indicators of insider threats such as abnormal requests from coworkers, extensive use of data transfer devices (USBs, printers, etc), and behaviors associated with disgruntled employees

3) Technical Safeguards

There are a diverse mix of technologies used to detect, prevent, and remedy insider threat risks. These technologies are generally used to restrict access to data or monitor for high-risk behavior. 

Examples of technical safeguards:

• Employee monitoring software. User behavior analytics establishes a baseline of what is considered normal for the organization. These tools detect anomalous behavior such as large data transfers, attempts to use restricted data storage hardware on company endpoints, and other deviations from expected behaviors.
• Privileged access management. PAM solutions ensure that accounts with elevated permissions are only given the minimum access required to perform their job functions. These tools are crucial for reducing the potential damage that would be caused by compromised accounts.
• Data loss prevention. DLP tools and endpoint security software enhance data visibility and restriction capabilities. Common features include identifying high-risk data, preventing unauthorized data transfers, and tracking the lifecycle of protected data.

4) Remote Workforce Considerations

Insider threat risks have been compounded by the sudden rise in mandated remote work. Companies that were ill-prepared for the transition may lack the data protection infrastructure to maintain visibility while employees work off-site. Increased employee stress from the pandemic, layoffs, and sudden drastic change are also likely to contribute to an increase in insider threat risks.

Remote workforce security tips:

• Limit personal device use. An employee’s personal device cannot be monitored and managed as thoroughly as company-provided devices. This lack of visibility reduces the organization’s ability to identify and manage insider threat risks.
• Restrict cloud data access. Organizations that shift from on-premises to cloud-based data access need to ensure that privileged access management remains in place for these new platforms.
• Update data protection policies. Security policies need to be current and relevant for a remote workforce. Organizations must address remote-specific considerations such as prohibiting the use of insecure public networks and outlining remote data access procedures.

5) Protect Data During Employee Offboarding

The employee offboarding process presents significant data security risks. Employees have intimate access to corporate data, insider knowledge of the organization’s systems, and a level of trust that can allow them to steal data undetected.

• 70% of intellectual property theft occurs within the 90 days before an employee’s resignation announcement
• 88% of IT workers have stated that they would take sensitive data with them if they were fired
• 72% of CEOs admit they’ve taken valuable intellectual property (IP) from a former employer
• 50% of respondents in a Symantec survey say they have taken information, and 40% say they will use it in their new jobs

These vulnerabilities need to be addressed as part of any insider threat management program. Click the button below to learn the best practices for protecting data during a termination and gain access to a downloadable IT offboarding checklist.

Conclusion

Insider threat management is not strictly a technical problem. An effective strategy combines technical solutions with administrative safeguards such as employee awareness, organizational best practices, and policy enforcement. It must also recognize the unique vectors used by negligent and malicious insiders to compromise sensitive data and manage those risks accordingly.