Unwitting attacks from the inside

Accidents and carelessness cause the majority of cyberattacks

07 insider
Credit: Thinkstock

Apparently, businesses in North America lag a little -- actually a lot -- behind global organizations when it comes to protecting themselves against cyberattacks. That's according to a new report from Kaspersky Labs.

The report found, "20% of global enterprises suffered four or more data breaches in the past year, while North American businesses suffered twice the amount at 44%."

Other interesting highlights available include:

  • In just the last 12 months, 43% of businesses on a global scale experienced data loss as a result of a breach
  • Two top causes of serious data breaches North American businesses experienced were related to employee mistakes:
    -59% = Uninformed employee actions
    -56% = Phishing/social engineering
  • 52% of organizations in North America face challenges understanding how to address mobile security threats, such as inappropriate usage or sharing data via mobile

The numbers are staggering and only likely to grow in 2017 as we continue to move away from traditional network perimeter security. 

In most organizations there are some careless users, others might not be paying attention. Regardless of the reason, end users are clicking links, going to blocked websites, and even putting sensitive information into emails.

Unfortunately, non-malicious insiders are creating most of the alerts that overwhelm security teams, making the insider threat problem a challenge unless you understand behavior, said Steven Grossman, vice president of strategy and enablement at Bay Dynamics.

Yes, accidents happen, but there are also people intending to do harm. "These malicious insiders are either insiders or third-party contractors trying to steal data or impact the company by stealing money or cracking systems," Grossman said.

Still another potential threat is the malicious insider that could actually be a compromised account. "Once somebody breaks in, they are on the network and look like any other user," Grossman said.

Many teams continue to struggle with looking at behaviors and alerts, particularly because the legitimate threats represent only a small number of the alerts.

One strategy is pure analysis. "Everybody is exhibiting the same behavior. They are most likely non malicious repeat offenders, and this repeat behavior is likely the only way they can get their jobs done," said Grossman.

Here are five easy steps Grossman offered to stop insider threats before it’s too late:

  1. Know where your critical assets are. The heart of a risk management approach is understanding what you are protecting. 
  2. Reduce risk, reduce noise. Identify non-malicious insiders and train those who are careless. When you train them on what they are doing and why it is bad with policy-specific training, you will see tremendous results (upwards of 80% drop in only three months). Fixing those broken business processes will minimize non-malicious alerts so that the malicious ones stand out more.
  3. Manage access privileges. Only granting least privileges will help you contain whatever damage there is from compromised accounts. Make sure they don’t have anything that’s not necessary for them.
  4. Pay extra attention to high risk populations. Who are your high risk users? Third parties and contractors. They are less dedicated to the company. Because they are accessing things outside the walls of your environment, it's not easy to understand their behavior. If they’re not a contractor operating on your network on your premises, it is hard to determine the behavior, so you need to connect the dots. Also look at those who have handed in a resignation letter.
  5. Involve critical contacts for better context. Application security owners are critical points of contact for understanding the context for an application. SOC operators don’t have the business context to understand. Involve people on the business side and application security owners to understand what behavior is unusual or not in the context of the business.

This article is published as part of the IDG Contributor Network. Want to Join?

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.