By Richard Menear, CEO, Burning Tree

In any business, we inherently want to trust the people we work with. By and large, we can. However, the reality is that insiders remain one of the main threats to your organization’s information and cybersecurity, and if you think your company can’t be breached — think again!

Although it can sometimes be difficult to separate incidents caused by insiders from general data breaches, Verizon’s 2019 Data Breach Investigations Report found that 34% of all breaches in 2018 happened as a result of insider work. The same report also found that 68% of data compromise is internal.

Internal incidents can be especially tricky to detect because actors know exactly where sensitive data is stored and have a good understanding of your cybersecurity processes and the solutions you have implemented. As such, some breaches may go undetected for months — or even years.

But with the cost of an insider attack remaining high (the average cost rose 15% from 2018 to 2019), it has never been more crucial for organizations to be aware of insider threats.

Defining “insiders”

We might think of “insiders” as disgruntled or malicious employees waiting to steal your corporate data and sell it on the dark web. Malicious intent from a disgruntled employee can be the worst type of insider threat — with fraudulent activity often going undetected and eroding company profitability. However, more often than not, a data leak is simply due to a mistake or unintentional misuse.

According to reports, privileged IT users or admins are the most dangerous insiders. It is normal for IT operational staff to have direct administrative access to all systems. The information on these systems can be highly confidential or valuable and is often subject to strict compliance requirements such as GDPR. Plus, even if personal information is locked down at the application, IT administrators can access, copy, change or delete data — which could result in a GDPR compliance issue.

Focus on detection

Although prevention, mitigation, and response are crucial parts of security policies, when it comes to insider threats, it is essential to shift the focus to detection. This means investing in and deploying suitable solutions.

The different approaches used to detect and eliminate insider threats depends on infrastructure and applications.

Privileged Access Management

Weak authentication or shared credentials can further extend the risk of a highly privileged account being compromised, so application access control and password rotation are vital for improved adaptive authentication.

At the simplest level, insider threat detection solutions will ‘vault’ administrative passwords to protect and safeguard passwords, only releasing them as and when required.

Solutions could include AD Bridging to onboard Unix servers, policy enforcement, management of workstations, password rotation and command auditing.

For example, One Identity’s Privileged Access Management solutions and Quest’s audit and reporting solutions enable you to provide the full credential when necessary or limit access with the granular delegation for least privileged access. Security can also be enhanced by requiring a second factor of authentication for the user, administrative or superuser access.

Privileged Session Management

To proactively detect and limit insider threats, Privileged Session Management is also crucial. By monitoring activity, the software can help to identify and alert security officers to any broken rules — allowing them to inspect and respond to suspicious activity as it happens.

One Identity and Quest’s software records and logs all privileged activity — down to the keystroke, mouse movement and windows viewed — in real-time. Privileged access is then granted based on established policies with appropriate approvals. This eliminates shared credentials and assigns individual accountability, resulting in enhanced security and easier compliance.

Process control is key

Without adequate security controls around Privileged Account Management in place, the resulting damage and fraud from an insider attack could be disastrous. Changing user behavior and vetting privileged users is arguably as important as implementing the right software.

As such, process control is also key to managing privileged users. Over the years, Burning Tree has helped many companies address the required change within their security practices. This involves implementing a combination of appropriate software and enhanced processes to provide a complete Privileged Account Management solution that helps to detect and prevent insider attacks.

To find out how we can help tackle insider threats within your organization, contact us today. If you would like to learn more about corporate cybersecurity issues, please follow us on LinkedIn to stay up to date with our latest articles.

About the Author

Richard is responsible for the overall management and day to day running of Burning Tree. He supports the Directors in the delivery of their assignments and on the development of the consulting practice in the field of Information Risk Management. Richard specializes in Operational Risk Management and has held senior positions in a number of Global Financial Institutions.

With a successful track record of over 26 years in Financial Services and 13 years in Risk Management, Richard has a wealth of experience. He was Head of Operational Risk for a Global service unit of HSBC Bank and worked at a number of UK based banks helping them achieve AMA status under the Basel II accord. https://burningtree.co.uk/