Four Ways to Protect Against Insider Threats
Most cybersecurity defenses and strategies are focused on external threats in an effort to make access costlier for a hacker than the value of what they can obtain. However, developing ways to protect against insider threats is an essential part of an organization’s cybersecurity posture.
The Internal Threat Landscape
Most organizations are focused on the prospect of external threats. Basic security is perimeter-focused, meaning that the primary goal of an organization’s cyber defenses are to prevent the “bad guys” from getting into the protected network with little or no attention being paid to threats within the network. However, internal threats can be just as dangerous to a company, with almost 60% of data breaches involving intellectual property being caused by an internal threat. Focusing solely on securing the perimeter can be dangerous to organizational cybersecurity and leave the enterprise vulnerable to a variety of internal threats.
Dangers of Focusing Solely on Perimeter Security
The notion of perimeter-focused security has been around since the dawn of recorded history. Most ancient cities had a boundary wall designed to keep “them” out, but the “us” was allowed to largely do as they pleased. However, as the city of Troy learned the hard way, if someone can get inside the defenses, there isn’t much the city can do to defend itself.
Many modern organizations take the same approach to their cybersecurity defenses as these ancient cities. They deploy most, if not all, their monitoring and defensive solutions at the network security level in an attempt to minimize the effect of an attack. This focuses solely on preventing the external attacker from ever gaining access to the internal network. While perimeter defense is important, using this strategy exclusively is only effective if all the malicious actors are outside the protected network.
Types of Internal Threats
Internal threats to network security come in a variety of shapes and sizes. Depending on the sophistication and intentions of the threat, the potential for damage to the organization can vary greatly.
The simplest internal threat to an organization’s network is the clueless employee. An employee with no malicious intent whatsoever can still hurt an organization’s cybersecurity. Over a quarter of data breaches (an estimated 27%) are caused by negligence by employees or contractors.
Malicious insiders are even worse than the naïve employee. Unlike a negligent employee causing damage by accident, malicious insiders deliberately use the access given to them as employees or contractors to steal data or cause damage to the organization’s network.
The final type of internal threat is hackers who were successful in breaching the perimeter defenses and gaining access to the internal network. Like the Greeks in the story of the Trojan Horse, once they’ve gained access to the network, they essentially have free rein to do as they wish if an organization’s defenses are primarily or solely perimeter focused.
Protecting Against Internal Threats
Perimeter-focused cyber defenses are common because they work in most cases and they provide a reasonable level of security in a scalable manner.
Going to the opposite extreme of completely hardening the internal network can be difficult due to the significant impacts on usability and the scale and cost of the operations necessary to maintain and monitor it.
By deploying a few simple internal solutions, an organization can dramatically increase its ability to detect and defeat internal threats. Here are four ways to protect against insider threats without overloading your resources:
Security Awareness Training
One of the most effective methods for breaking through a company’s cyber defenses is social engineering. According to research, 93% of data breaches are linked to phishing and other social engineering incidents. It’s a good idea to step back from the technology and look at your workforce.
Arming your employees to be able to recognize and react appropriately to this type of internal threat is key in fighting the problem. A strong security awareness program can assist you in both understanding your employees’ knowledge in relation to cyberthreats and training those employees to improve their cyber awareness. This, in turn, protects your business.
Turning back to technology, the first step in protecting your network against internal threats is ensuring that the network defenders can see the bad actors in action. By deploying the same traffic monitoring, vulnerability scanning, and intrusion detection software used on the perimeter on the internal network as well, an organization can increase the probability of detecting and defeating insider threats without significant use of resources.
In many cases, this could be as simple as configuring tools to no longer ignore internal traffic and allocating sufficient resources to manage the increased load.
Small changes to the organization’s network monitoring strategy can have a significant impact on security.
Access Control Management
Deployment of a strong access control management solution is key to managing internal threats. Every employee should have access to whatever functionality is necessary for the job role and no more. By limiting the power of each user on the network, an organization can increase the difficulty of anyone being capable of doing significant harm to the organization’s network and operations.
An important aspect of a strong access control policy is a regular review of granted permissions. Changes in job roles such as promotions or transfers may require additional permissions but may also mean that certain ones are no longer necessary. These should be removed.
Access of terminated employees or ones facing disciplinary action should be immediately revoked to minimize the potential of a disgruntled employee causing damage or stealing sensitive data in revenge.
Honeypots are deliberately insecure computers traditionally deployed near the network perimeter. The intention is that a hacker will target the “low hanging fruit” and spend time compromising the vulnerable machine instead of identifying and exploiting vulnerabilities on real systems.
Since honeypots contain no valuable data, are designed to be attacked, and have no legitimate use, network defenders know that anything interacting with the honeypot is malicious and should be terminated.
Honeypots can also be incredibly valuable inside the organization’s network to help detect and protect against internal threats. Very few users (and fewer external intruders) in an organization will have a complete picture of which computers in a network contain valuable data or are mission-critical. By placing a few promising-looking computers on the network and monitoring access to them, network defenders can quickly identify malicious users or compromised accounts if they attempt to access the decoy computers and the data stored within. Like a canary in a coal mine, these internal honeypots are designed to signal if something isn’t right inside the organization.
Deploying Comprehensive Cybersecurity Protections
The spate of recent major hacks and data breaches have demonstrated that traditional, solely perimeter-focused defenses simply aren’t sufficient to ensure the integrity and security of an organization’s network and data.
Implementing internal network monitoring systems is a good step for finding internal threats, and proactive solutions like access control and deployment of internal honeypots improve the probability that a malicious insider will be detected and defeated before they’re able to cause significant damage to the company network or reputation.
Would you like to learn more about insider threats and how to protect your organization? Download our white paper here.
Sword & Shield offers a full range of services to improve your internal defenses to protect against insider threats, including Network Vulnerability Assessments, Managed Security Services, Security Awareness Training and more. Request a consultation to start to get started today.