The pervasiveness of the insider threat is something every company worries about. And according to the conclusions reached by Dtex Systems based on threat assessments from several global organizations, 100 percent of companies have blind spots that enable the continued presence of the insider threat.
No argument there.
Every company that provides their employees with decision-making authorities gives their employees the power to make decisions that undermine the company. What stops wholesale anarchy are unified goals, awareness training, and, above all, trust. There doesn’t exist a company that can bring the insider threat down to zero percent. But there are many that bring it close to zero.
The Dtex 2018 Threat Report serves to bring to the forefront those areas where companies, and that is every company, big or small, can invest their resources to bring down the threat posed by their trusted insiders.
Clearly, visibility on the need to focus on basic cybersecurity 101 is required. Richard Stiennon, IT-Harvest Chief Research Analyst and Charles Stuart University Lecturer, tells us, “Business needs to get out of the cybersecurity denial phase it is stuck in. To do this, it must accept that it needs more visibility into what’s going on in its environment.”
Highlighted is the statistic that indicates third-party cloud storage is being misconfigured, allowing the public to access the information. Not just a few of the respondents, but 78 percent of the respondents say this has happened to them. We intellectually understand the downside when customer data goes flying out the proverbial cloud-window – “Houston, we have a problem.”
Now, think about the effect on the protection of trade secrets and intellectual property exposure. Call your legal team, and ask them about the piercing of the trade secret protection when information isn’t afforded the required safeguards. This may incentivize those setting up cloud-based storage to pay closer attention, especially if it means the company’s viability.
The Dtex information shows us 90 percent of all assessments were transferring data to un-encrypted and unauthorized USB devices (phones, USB, data cards, etc.), proving once again, that convenience will always trump security. Perhaps epoxying all USB ports is a solution, or maybe providing encryption capability for storage of all company data is another. But if you think policy decrees will stop the employee from doing what they need to do to get their job done will stop this issue, then please allow me to sell you what is behind door number three.
Which brings us to the crux of the issue when dealing with the insider threat.
Should we distrust our employees?
They are your colleagues. You hired them. Do you hire untrustworthy employees? Probably not.
Dtex CEO Christy Wyatt commented, “While malicious users are always looking for new ways to defy security controls, not all internal risk comes from bad intent. Trusted employees don’t always understand when they are engaged in damaging activities and can fall prey to bad actors looking to steal their credentials. The lack of visibility into all types of user behaviors is creating employee-driven vulnerability problems for every business.”
As a former career intelligence officer who specialized in human intelligence, I know the human factor has always been the work-around to render ineffective technological defenses.
The insiders who are compromising companies come in two flavors – those who are acting in a malevolent manner and those whose actions put the company at risk in an unwitting manner.
The former is far more dangerous than the latter.
Interestingly, the Dtex assessments show an increase in the seemingly sophomoric revenge attacks where an individual in effect DOXs their colleagues (provide personal identifying information on their colleague in a public forum), which causes the individuals' inbox, voicemail, and other means of communication to be overwhelmed (think DDoS on a personal level).
And not surprisingly, 67 percent of the assessment reported the malicious employees engaging in risky behavior, which puts their devices at greater risk than those who don’t visit porn and gambling sites.
What’s missing?
What is missing from this report are the number of instances where an insider voluntarily opts to break trust with their employer. Revenge or greed are two primary motivators for such behavior. This might be a good question for the next survey.
We read about these on a regular basis; indeed this blog is titled, “The Trusted and Valued Insider (Threat)” for a reason. These individuals are the ones who have staying power and are the ultimate insider threat.
To that end, if a person has natural access and doesn’t trigger any of the data loss prevention (DLP) or other safeguards in place by copying, sharing, or printing the information, it will be nearly impossible to catch them in the act unless you have the individual under full-time surveillance.
Education, DLP implementation, timely system updates, and re-validation of employees’ privileged access (within the scope of least privileged access) are all worthy recommendations.
The bottom line, as we said in at the beginning, achieving zero threat that an individual may go sideways is impossible. What is within arms reach of every company is bringing the threat down to a manageable level.
We've got some work ahead of us.