nDiscovery-Logo-Header.png
Ë
By Becky Metivier • August 15, 2017

Tips to Avoid the Insider Threat

Even environments with the most mature perimeter defenses are at risk of insider threats. Whether from malicious intent, carelessness, or clicking on a phishing email, the result is the same. Your sensitive data is exposed. The good news is that there are things you can do to deter, and in some cases prevent, insiders from compromising your network.

We talk a lot about Cybersecurity Culture. And in the case of insider threats, a great culture can be one of the best deterrents for both the “dark side” and the accidental. How you run your organisation can discourage insiders from even trying. Here are a few tactics to consider.

Deterrence

  • Deploy data-centric security, not system-centric security. Data can be all over the place, so be sure you know where all of yours is. Data is money to hackers, and their primary motivation.
  • Train and educate your workforce. Provide avenues for reporting.
  • Use positive social engineering. Treat people well, and use carrot programs, more often than stick programs.
  • Think like a marketer. This means considering messaging and strategy, not just what's happening at a particular moment. Insider threats are aggregated across many events, so if you’re not thinking globally at how messaging is impacting the teams, then you may miss something.
  • Build a baseline. Base it on volume, velocity, frequency, and amount at hourly, weekly, and monthly increments. Knowing typical patterns and normal behavior allows you to spot something out of the ordinary. Novelty is a good indicator that something isn’t right.
  • Use centralised logging and monitoring to detect data exfiltration.
  • Require identification for access to all assets (e.g. access cards, passwords, inventory check out).
  • Announce the use of policies that monitor events. Events include unusual network traffic spikes, volume of USB / mobile storage use, volume of off-hour printing activities, and inappropriate use of encryption.
  • Provide avenues for employees to vent concerns and frustrations. This will really help to mitigate the insider threat motivated by disgruntlement. If people feel like they can talk to you, then you may be able to turn someone heading the wrong direction around.
  • Implement employee recognition programs. Give public praise to aid in mitigating the insider threat motivated by ego.
  • Authorise users based on the “least privilege” access principle.
  • Conduct periodic audits. These can detect inappropriately granted access, or access from previous job roles / functions, that should be removed.

Tips to Prevent Insider Threats

Effective prevention really relies on administrative and technical controls, including:

  • Block file downloads to media.
  • Encrypt critical information at rest. That way if someone takes it, it won’t do them any good.
  • Restrict access and review access frequently.
  • Monitor for access success as well as failure. This will help you see anomalies.
  • Segment your network. Put your critical services in a container where only a very few people, and other systems, can go.
  • Set-up role-based access with application of “least privilege” to perform job duties.