• United States



How to spot and prevent insider threats

Jun 28, 20177 mins
Access ControlData and Information SecurityIdentity Management Solutions

Are departing employees taking data with them? Here’s what you need to know to better protect your enterprise network and proprietary information from insider threats.

04 insider threat
Credit: Thinkstock

In June, Netherlands-based web hosting provider Verelox had to completely shut down its services, preventing customers from accessing their data and virtual servers.

Was this another example of ransomware? An outside hacker up to mischief? Nope. The company’s headaches were caused by a disgruntled ex-employee who “deleted all customer data and wiped most servers,” according to Verelox, as quoted in International Business Times.

Fortunately, Verelox bounced back a few days later, without losing any important data. But many similar incidents don’t have such a positive outcome. And experts say the insider threat to corporate data is growing. Here’s what you need to know about detecting insider threats—and how to minimize the risks.

Setting the stage for insider threat

Fluid workforces, with countless contractors scattered globally, combined with a growing dependency on cloud services as well as BYOD devices, are ushering in a new era of insider threat-related security risks, notes Rich Campagna, SVP of product for cloud access security broker Bitglass.

Remote workers in particular can pose a growing threat, adds Mike McKee, CEO of ObserveIT, an insider threat monitoring and analytics software provider. “One executive told me his company has 1,000 developers in India who have the company’s source code, not to mention 500 contractors in China, and it’s hard to accurately know what the risk is,” he says. McKee adds that remote workers in home offices could be more tempted to sell or exploit a company’s proprietary information, vs. employees surrounded by colleagues in a corporate office.  

At the same time, companies are storing more data in the cloud, and the more data that’s out there, the higher your risk of data theft. “The marginal cost of storage is essentially zero today, so organizations have little incentive to delete data,” notes Merritt Maxim, senior analyst, security and risk, for research firm Forrester. “So they just store everything. That means there is more potential data available to steal.”

Plus, with all the money to be made on the dark web selling user names and passwords, not to mention the growing value of source code and other intellectual property, there’s plenty of reason to be concerned about data theft by former or exiting employees. Security firm Flashpoint identified a software company employee who attempted to sell source code for about $15,000, PCWorld reported.

Of course, not all insider threats are malicious. “We’ve seen new employees come on board that still have access to their previous employer’s email system on their personal devices,” Campagna says, noting the role BYOD can play in inadvertent insider data leaks.

The insider threat is real

Data theft by departing or current employees is a growing (and potentially costly) problem, as research shows. 

In a 2017 survey of security professionals from Haystax Technology, 56 percent of respondents said insider threats have grown more frequent in the past year. And 75 percent of respondents believe the costs of insider breach remediation could reach $500,000.

According to a 2016 IBM study, insiders are responsible for 60 percent of all data breaches. Of those breaches, 75 percent were done with malicious intent and 25 percent were accidental. A 2017 Verizon survey puts the number of insider-led data breaches even higher, at 77 percent.

Accenture’s 2016 “State of Cybersecurity and Digital Trust” survey found that insider data theft and malware attacks are the top concerns of enterprise security executives. Most respondents, 69 percent, said their company had experienced an attempted or successful theft (or corruption of data) by insiders within the prior 12 months.

More than 1 in 4 respondents to a 2015 Biscom survey admitted taking data when they left a company. Of those, 85 percent said they took materials they created and didn’t feel it was wrong. And 95 percent of those who took data said it was possible because their employer didn’t have the tools or policies to prevent them, or that if their company did have policies, they ignored them. (Biscom is a secure file sharing service provider.)

3 things you can do to prevent insider threats

Automate the process of wiping devices

Many enterprises use Microsoft’s Active Directory (AD) service for centralized user account management, says Campagna. When an employee departs, someone in HR typically deactivates that employee’s AD record, he explains. That deactivation should serve as a trigger to automatically wipe the data off the exiting employee’s devices, he adds. But too often that process is done manually, for various and often complex reasons.

But Campagna encourages enterprises, whenever possible, to use mobile device management, identity systems, and other security tools that automatically sync to AD to trigger automatic data wipes. This can help prevent departing users from continuing to access company data, especially on cloud services that don’t require users to log out periodically. For example, if due diligence isn’t performed, an employee might continue using his or her company email account for days, if not weeks, after leaving.

Automation is key to minimizing the insider threat of a former employee, Maxim agrees. “This is where identity management solutions come into play because they can automate the de-provisioning process to ensure that users are removed from systems when they leave the company.”

Maxim adds that such solutions “must still be accompanied by strong internal governance, such as internal audits to verify that the accounts were actually removed and that there is accountability to identify and correct gaps in the system, such as managers who don’t follow the off-boarding process in a timely manner. Two-factor authentication can also help by making it harder to crack back into systems.”

Ideally, teams across your organization should collaborate to identify insider threats and prevent them from happening, advises Ryan LaSalle, the Global Managing Director of Growth and Strategy at Accenture Security.

“The first step is to know your users,” LaSalle says. “Who are they? What are their roles? What should they be doing? Knowing your users and what access they should have, what normal looks like for them, is one of the biggest steps you can take to protect yourself.”

Next, know your data, LaSalle continues. “Where is it? Who has access to it? What’s its value? If you know its value, you can better identify risks and put better protections around it.”

Finally, collaborate with HR, legal and business management to better connect the dots between your security monitoring tools and what’s going on in your business.

“Security teams don’t usually have the context of what the users should be doing,” LaSalle explains. “And business managers don’t usually understand the risks that security is trying to defend against.” That’s why it’s important to have these teams work together to get the big picture, he says.

Don’t forget the human element

“So much of IT security is about machines, IP addresses and networks—and not people,” notes McKee. “Don’t forget that there’s a person involved in every data breach, and understanding what they did before and after that breach is important, so you can be predictive and proactive instead of just being reactive.”

It’s essential for managers to stay close to their direct reports, Lasalle adds. “Managers are more likely to know when employees are disgruntled or under financial duress or are getting ready to leave, and all of those can be insider threat predictors. Your managers should be your first line of warning against those threats.”

Related reading: