It’s the threat that keeps IT security staff awake at night. The threat that is often the hardest to mitigate, detect and prosecute. The threat that can be entirely malicious or accidental, and cause the same level of pain.
More than half of businesses surveyed by the 2018 Insider Threat Report have experienced attacks from people working within their own company. Ninety per cent of businesses feel vulnerable to insider threats.
Insider threat often occurs through negligence or accidents and occasionally due to malicious purposes. An insider acting maliciously can hide his or her activities online for a long time, and the longer the threat is in place, the more damage it can do. Mitigating the insider threat is complex and must be approached from a number of angles.
Technical controls – the starting point
As a baseline, we recommend organisations implement:
- network monitoring and activity logging to a protected central logging repository that is regularly audited by security staff
- principle of least privilege and separation of duties
- implement the Australian Signals Directorate essential eight mitigation strategies, with particular attention to application whitelisting and patching applications and operating systems
- avoid shared administrative accounts
- consistently audit the remaining shared administrative accounts and all system accounts.
- restrict all system accounts to their minimum privilege based on vendor advice.
Focus on your culture
Very few employees take a new job with the intent of stealing information or exploiting networks. However, disgruntled employees can turn malicious insider very quickly.
Personal circumstances, such as high debt, can also result in an opportunistic insider looking to make some fast money.
Therefore, behavioural and cultural mitigation strategies must complement your technical mitigation strategies. It’s important to pay attention to your staff and notice significant changes in personal circumstances or behaviour and ensure support is provided through periods of stress.
The culture of your organisation and overall contentment of your staff is a critical factor in mitigating insider threat. If the work environment is one of integrity and transparency, it is much harder to act dishonestly. Happy, valued and challenged staff members are less likely to act to harm your organisation.
Ensure you are also hiring the best people by verifying an applicant’s identity and conducting background and criminal history checks.
By all means use all appropriate technical controls, but if your culture is working against you and creating numerous disgruntled employees, you will need to be on high alert. It’s therefore important to approach insider threat from an organisational level. This risk needs to recognised and mitigated from both technical and human resources perspectives.
Identify negative attitudes and behaviours early and diagnose what cultural factors may be contributing.
Improve staff education
Although businesses are focussed on raising awareness of cyber security and facilitate a number programs to achieve this, many employees still do not have a strong understanding of the impact of their actions or lazy cyber security behaviour. We suggest:
- Make staff education a priority in your organisation.
- Review security awareness training regularly to ensure effectiveness.
- Find interesting ways to educate your staff.
- Share interesting news articles that encourage understanding of the critical nature of cyber security.
- Detail the impacts of a wrong click or the remediation costs of exposed data.
Insider threat needs a cultural approach, with constant education and technical controls to be mitigated. The less we notice employees’ contentment and the overall climate of the organisation, the greater the risk can be.
For more information and mitigation strategies, read the Australian Government’s Managing the insider threat to your business—A personnel security handbook.