News of a data breach at the UK software company Sage is a reminder of the potential damage which can be done by an insider. Sage is a FTSE 100 company and provides business management software for companies in 23 countries. It has reported the breach to the City of London police and has informed customers who they believe may have been affected that the personal informaton of employees at 280 firms may have been compromised by someone using an internal computer login.
The insider threat can take the form of malicious and non-malicious activity. From an attacker (or attackers) with inside access who are consciously stealing or using internal information for their own gain and / or to harm the organisation, to an individual accidentally emailing information to the wrong recipient or leaving documents on a train. Research suggests that the malicious insider is the most costly threat facing organisations.
What can your company do the mitigate the insider threat?
- Access to information should be based on the principle of ‘need to know‘. Ensure that this is in place with an access rights review and set up procedures to make sure that IT is informed, and amends access accordingly, when employees move jobs or leave the organisation. Data should be segregated, with network segregation at least according to department.
- Train employees in cybersecurity, instilling them with an understanding of the threats and of the impact that their behaviours can have on keeping information safe.
- Situational awareness is important on an organisational, as well as individual, level. Participate in threat sharing communities if at all possible. Communicate with peers to develop and maintain awareness of the threats which they are managing and consider what this means for you. Remain aware of current cybersecurity threats hitting the headlines.
- Look at your password policy, and practices of employees. Do people leave passwords on post-it notes on their desks, or share them with colleagues? If so, this increases the potential for unauthorised insider access and could be an indication that you should simplify your approach to passwords.
- Consider your other cybersecurity policies. Have you clearly and concisely communicated how you expect employees (and anyone else with access) to handle information? How are the policies communicated and enforced? It’s really important to understand where people find workarounds in the policies and procedures – what they routinely don’t comply with as a means of getting their job done. These workarounds shows where policies and procedures are hindering the business and inducing risk. Work with the business to address these in a proportionate way – how can you find a balance that enables people to get their job done whilst maintaining security of information?
- Review how employees and contractors access your network. Remote working and Bring Your Own Device (BYOD) open up new risks and so you may need to consider how you can support flexible working whilst minimising those risks.
- Encrypt data at rest and in transit. Don’t make it easy for unauthorised people to access and view data.
- Look at your personnel and physical security. How easy would it be for an attacker to take advantage of an internal weakness, such as tailgating, poor CCTV or a lax approach to wearing name badges? A social engineering test is a good way of attaining an ‘attacker’s eye view’ of your organisation.
- Keep logs. Many organisations don’t make this a priority, and whilst logs of course will not protect you from the insider threat, they will provide an audit trail to help you unpick what has happened and provide supportng evidence in a criminal trail, should it come to that.
- Have an incident response plan, which outlines roles, responsibilities and avenues of communication – and test it. Again, an incident response plan will not protect you from the insider threat, but it will enable you to respond as quickly and effectively as possible. However, it will only do this if you test it to ensure that when you really need it, the theory works in practice.
Some of these tips are aimed at minimising the insider threat, whilst others are about managing an incident should one occur. Ponemon’s latest data breach report highlighted that having an incident response team, extensive use of encryption, employee training, participation in threat sharing or business continuity management decreased the per capita cost of a data breach.
Finally, remember that the definition of an insider threat is not limited to employees, but rather relates to anyone (employees, contractors, third-part suppliers) who accesses your information or networks.