Looking at the threats that are within the walls of your company is as important as looking out. According to a study conducted by Crowd Research Partners [1], insider threats are a major concern for information security managers. 90% of companies feel vulnerable to threats generated within their own environment.

According to the study, the main enablers of insider threats are:

What are insider threats?

Insider threats are associated with people who have access to an organization’s confidential information or private platforms, such as employees, former employees, business partners or service providers. Any individual who, at any time in the present or past, has had access to privileged information and private systems may represent a potential vulnerability.

However, not all risks related to people are promoted premeditatedly or are the result of fraud, sabotage or industrial espionage. Often, unsecure habits or lack of information about good security practices can cause a significant number of breaches.

A user can type an email address incorrectly when forwarding sensitive information; or click links or open files in spear phishing emails; there are cases of browsing suspicious websites that tricks  to download unwanted applications, such as spyware, or that promote mining of cryptocurrencies.

 

It is difficult to identify internal threats

Security incidents involving insiders are costly for businesses, usually because of the difficulty of tracking down potential negligent behavior or purposely malicious action. According to Ponemon Institute [2], cases of bad security practices can cost more than US$ 280,000. In cases of credential theft or criminal leaks, the cost per incident can reach US$ 650,000. These costs are associated with monitoring, investigation, incident response, analysis and remediation.

Often, the costs of insider threats are high because they are not anticipated by most companies. In addition, two particular factors make the analysis of these cases even more complex. Firstly, it is hard to distinguish between negligent action and malicious action. Furthermore, internal threats can remain hidden for years (and the longer it takes to identify a malicious action, the greater its cost).

 

Who are the main responsible?

As stated above, anyone who has a privileged relationship with a company and access to their private information or platforms should be considered a potential vulnerability. However, it is important to always be aware to three groups:

 

Employees and Former employees

Any employee can collect information during their contract with the company. Therefore, it is important to constantly monitor all their actions. Many security products allow to control copying or sharing of information, either by settings that block ports or through content filters.

 

Privileged users

Middle management executives represent the two sides of the same coin. On the one hand, they have privileges to access information. On the other hand, whenever they misuse strategic data, with or without intention, the impact is big. Finally, they are often the targets of malicious actions.

It is therefore important to build a very clear security policy and to be able to define how each user should make use of their privileges, whether such privileges are indispensable, and at the same time define how to monitor users.

 

Third Party Service Providers

Consider business partners, vendors and even remote employees as potential threats. They have access to company information and often their devices are not protected by perimeter security controls.

In the case of third parties, service contracts must establish duties and responsibilities regarding the use of information; in the case of remote employees, it is crucial to establish platform access controls (such as 2 authentication factors), and to deploy security to local devices.

 

4 ways to combat internal threats

 

Multi-layer protection for email accounts

In the corporate environment, email is still a key resource for business communication and information logging. Therefore, many social engineering scams are promoted by this means.

To ensure that no information leaks through this channel, it is important to monitor email servers with dedicated controls. It is worth highlighting two key technologies for protecting email accounts: Data Loss Prevention (DLP), which identifies sensitive information and establishes actions according to security rules; and Encryption, which encodes information stored or in transit.

 

Active intrusion detection

The adoption of an intrusion prevention system (IPS) is relevant to establish active detection of suspicious actions in your environment, especially if your users are tricked into social engineering schemes and contaminated by malware. According to the Crowd Research Partners study, 63% of companies surveyed consider this type of control to be efficient in managing internal risks [1].

 

Access and content management

As with intrusion systems, the adoption of active detection controls is crucial to avoid internal incidents. When aligned with security policy, these technologies will be responsible for establishing and securing privilege rules, monitoring the flow of information according to content filters, file types and sizes, and so on.

 

User Activity Log

One of the great challenges of any company will be to prove that the activities of an internal user are criminal. One way to address this problem is to adopt a technology for log management, which allows to keep track and log each user’s activities.

 

No matter the industry, every company is subject to the risks of internal threats. Therefore, to promote more security for the environment, organizations can not just watch the scenario of external threats, but must understand in detail what their internal challenges are. In general, the same security products can be configured to prevent both internal and external threats. If a company is concerned about protecting their confidential information, then it can not neglect the adoption of comprehensive protection measures as costs may be higher than expected.

 

[1] Insider Threat Report: 2018

[2] 2018 Cost of Insider Threats: Global