Defend Against Insider Threats from Remote Workers

istock 1220664120

The dramatic increase in telework and the transition to cloud-based applications means more people are working from remote locations on personal and company-provided devices. Security and IT teams have adjusted their strategies to contend with these changes, but one area that is often underestimated is the potential impact of insider threats. Remote work isn't likely to go away any time soon. In fact, 54% of employed adults who say that their job responsibilities can mostly be done from home say that they want to work from home all or most of the time when the coronavirus pandemic is over.

Businesses face significant risks from insider threats, but damage from insider sources can be difficult to track down because these threats cover such a wide range of behaviors and motives. It's even more difficult when employees aren't on site. Threats might come from a disgruntled staffer who wants to disrupt operations, an employee who sells customer data to get some extra cash, or a careless co-worker who ignores a company policy.

Technically, an insider threat is the potential for an insider to use their authorized access or specialized understanding of an organization to disrupt or harm the business. Insiders aren't limited to just employees; they can be anyone who access to your systems or data. This can include former employees, contractors, suppliers and even board members. Even family members who live in the same house as a remote employee has the potential to see or access systems they shouldn't. Insider threats fall into three general groups.

  • Non-malicious or accidental threats may come from well-intentioned employees who don't necessarily realize they've done something that has exposed the company to risk. They may be under pressure to get something done quickly and as a result do things they know they shouldn't, such as opening a back door to access resources or pushing documents or data onto a server not controlled by IT. Compromises also may arise from simple carelessness or mistakes, such as temporarily turning off a security tool and forgetting to turn it back on or clicking on malicious links
  • Malicious threats often come from people who have left a company and take intellectual property, such as sales people who take their leads with them or software engineers who walk off with source code. Third-parties that have special access also can be insiders, such as companies working on system integrations.
  • Advanced threats often are related to organized crime or nation state sponsored activity. Insiders may steal intellectual property or data for -on behalf of a third party for financial gain.

Insider threats are on the rise. Some of this trend may be because more insider breaches are being reported, as historically, these compromises weren't made public. But whether motivated by money or sabotage, insider threats now make up about 30% of breaches.

Defending Against Insider Threats

When it comes to insider threats, the goal needs to be to deter, detect, and disrupt. Deterrence starts with clear policies and training for all employees, contractors, and other authorized personnel. Protective security needs to be set up both internally and externally. These activities can be performed without incurring a lot of overhead; they don't have to turn into a massive burden to the security operations center or compliance team.

As far as disrupting threats, you don't want to wait until a seemingly benign configuration issue turns into external access because a malicious actor could simply grab the data and run. Early detection and response are key. It's a good practice to work with your security vendor to make sure your configurations don't drift over time.

Insider Threats and the Cybersecurity Framework

The cybersecurity framework from the U.S. National Institute of Standards and Technology (NIST) provides a common language for discussing security. It offers a comprehensive inventory of every major step in the security life cycle: identify, protect, detect, respond, and recover. Each step should be viewed from the perspective of insider threats.

Identify: The security operations center needs to have an understanding of what assets they have and what state they're in. Network access control also can be used for discovery of who and what is on the network.

Protect: The zero-trust model is based on the assumption that no one can be trusted, so people aren't given access to resources that they don't need. Least privilege and role-based access control can be paired with network segmentation to reduce the risk. Protection also includes training and making sure that users understand their part in keeping software updated. IT staff needs to keep up with patches and manage server, router, firewall, and application configurations as well.

Detect: Continuous monitoring needs to be in place to detect anomalies and to monitor policy compliance. Threat intelligence can keep everyone updated on the tactics attackers are using. Knowing what they do and when they do it makes it easier to recognize suspicious activities and to take next steps. Behavioral monitoring through user behavior analytics (UEBA) includes profiling what's normal so you recognize when something isn't normal. Detection also can include deception technology to catch people who are trying to access unauthorized systems and data.

Respond: You should have a response plan ready to go that includes a playbook for insider threats. Endpoint security solutions can help develop your forensic ability by looking back in time. By sifting through traffic and logs, you can see what happened in the past and automate actions based on that information, such as cutting off and isolating problematic endpoints. You can also create sophisticated playbooks coupled with actions that orchestrate responses so they are prescriptive.

Recover: Automated disinfection and remediation requires planning. You may need to take a rollback and restore approach or reprovision endpoints. The key is to get back up and rolling as quickly as possible to minimize business disruption.

Technology Can Help

As noted, insider threats are particularly difficult to detect when you have a remote and distributed workforce, so centralized security visibility and management are essential. Threat management strategies should include a deep understanding of insider threats and the situations that give rise to them. That starts with knowing what "normal" looks like at your organization.

When you combine this understanding with technology such as zero-trust access, endpoint monitoring, user behavior analysis, and data-loss prevention controls, you have a better chance of successfully mitigating threats and keeping your critical resources safe. Going even farther by combining user behavioral data with artificial intelligence can provide even more visibility and more accurate user monitoring on an endpoint-by-endpoint basis.

By using robust technology that offers single-pane-of-glass visibility and control, log aggregation, and security analytics, coupled with detection and response tools, you have the best chance of successfully defending against insider threats.

Discover how Fortinet Teleworker Solutions enable secure remote access at scale to support employees with a wide array of access requirements.


Learn more about Fortinet’s free cybersecurity training initiative or about the Fortinet Network Security Expert program, Network Security Academy program, and FortiVet program


Copyright © 2021 IDG Communications, Inc.