In the very first season of cult TV hit series 24, the chilling finale exposes Jack Bauer’s confidante and co-worker at the Counter-Terrorist Unit, Nina Myers, as a deep-cover mole, feeding information to nefarious outside sources.
Though it made for great drama, this glamorized and gritty image of malicious insiders in the average enterprise today could not be further from the truth. According to a plethora of studies, whilst an organization’s employees do account for approximately half of all data breaches, half of these in turn are accidental rather than malicious. Employees are far more likely to enable breaches unwittingly, as a result of clumsy browsing etiquette or clicking on phishing emails.
Still, many organizations have a preoccupation with spending on external threats. According to HP, 71% of organizations are ‘very concerned’ with external threats, many more than are concerned with the possibility of an internal breach (46%). This is understandable: many of these hacks are extremely high profile. For example, the fallout from the Ashley Madison hack in 2015 lasted for more than four months for a single malicious security event, leading to a $567 million class-action lawsuit against the website owners.
Despite this, the time, effort and dedication which is necessary to breach an organization’s systems from the outside world is many times greater than that needed by malicious or accidental insiders who already have access to these systems. However, the matter is not as simple as this: mitigating these kinds of breaches requires categorization (splitting malicious insider attacks versus accidental insider data losses, for example) and multi-faceted human and technological approaches to maintain trust and minimize the opportunities for such breaches.
Putting Technology to Work
The first port of call for limiting the possible damage from malicious and accidental insiders is controlling the number of ‘privileged’ users on the company network. Putting access policies in place so that users are only able to read from and write to files, directories, locations and applications on the network that are appropriate to their job function is an important first step. For example, making sure that a new graduate joiner does not have access to the HR folders containing pay and other personal information, or can download deal information easily, is crucial to keeping sensitive information in the right hands.
However, according to the Ponemon Institute, 49% of organizations do not have centralized access policies and are unable to control who accesses what on a granular level. Regular security audits, in partnership with specialists, is vital to gain an understanding of the complexities of access privileges. Furthermore, it is worth noting that even more organizations (69%) struggle with access logging and analysis to highlight inappropriate file access or quantify the scope of a breach after it occurs.
Many organizations today already outsource much of their IT to avoid internal management and maintenance overheads. Among its many benefits, this approach can also help prevent insiders from having access to information that they are not authorized to have, because systems are physically not present or accessible to all on the company estate.
Working with People
Trusting the workforce does not necessarily mean giving them blanket access to all data. After all, with half of insider breaches being accidental, it would be an unfair burden to employees to expect them to fully safeguard all company data on their laptops and tablets at all times.
Most CIOs and IT staff understand that modern workforces are often dispersed – and this means accessing corporate networks on personal devices which may be shared with loved ones and children, representing an instant point of vulnerability. This is one important area where the IT team must work closely together with the HR department to provide training on how to keep personal and professional lives separate, including the avoidance of emailing documents to a personal address, and safe internet browsing techniques, for example.
Whilst companies often employ ex-hackers and security consultancies to run ‘ethical hacking’ tests, probing for vulnerabilities in the network and IT system, few run ‘pre-mortems’ on behavioral analysis, attempting to figure out psychological and behavioral weaknesses in the company data handling processes.
However, this must also go hand in hand with typical company safeguards like background checks to ensure that prospective new employees are vetted appropriately before starting at the company. Avoiding bad hires with suspicious career gaps or those where references are refused can help organizations to minimize risk of malicious insider breaches.
Solutions and Remedies
Whilst there will never be a simple cure for insider breaches, organizations can mitigate them by doing several things including increased training and awareness, plus restricting access privileges. This requires a close relationship between the IT and HR departments to devise solutions which are effective at both a human and technological level.
Organizations must update and enforce technological policies that include usage logging and tightly controlling those who have elevated “admin rights”. In many cases, this is all easier said than done, so outsourcing to specialists is often the smarter path to take. Even if you are Jack Bauer.