The news and media often highlights vulnerabilities, malware, and negligent employee breaches as the only dangers organizations face, overlooking costlier insider threats. Surprisingly, stolen records for insider threats in the US cost $230 which is more than breaches caused by system glitches ($142) and human error ($134). Insider threats alone cost the US $40 billion in losses. Two recent examples of insider threat illustrate how former and current employees can damage a business.
Insider threats don’t always come from current employees; they can come from former employees. In 2014, a Winchester-based company laid-off an IT department employee. The disgruntled former employee remotely accessed the company’s network using another employee’s log-on credentials, deleted important files, and disabled some of the company’s accounts. His actions cost the company almost $62, 000.
In a Vectra survey, 41% of cybersecurity professionals marked IT personnel as one of the biggest potential insider threats, which isn’t too surprising considering IT departments have access to the company’s network, oftentimes including employee log-on credentials.
The obvious question may be, “Well, why didn’t the company deactivate the employee’s access when he was let go?” But the company did deactivate his access to their internal systems—that wasn’t enough. When the well-connected employee left, the company should have had all the employees change their passwords, especially admin passwords to servers and networks. This precautionary measure may have helped the company prevent the attack.
Two-factor authentication could have helped in this situation as well. If the former employee used another employee’s credentials, it is highly unlikely he/she could have produced the second factor, preventing thousands of dollars in damage. This best practice is easy to implement and adds a layer of security.
Unlike the first example, these inside attackers weren’t motivated by revenge. Instead, they wanted to make a quick buck. A California-based company paid three AT&T employees to not only install malware on the company’s internal network, but also to modify the malware during different stages of the attack. All of this was done on the company’s computers while the employees worked in an AT&T call center.
Law enforcement recommends system admins and cybersecurity professionals regularly review employees’ privileges to determine what access points are necessary for individual employees to perform their day-to-day duties. Any unnecessary access should be revoked. Tiered privileges can minimize damage in case of an attack.
Verizon’s Data Breach Investigation Report points out that employees leave tracks as they move through a network and admins can see what is accessed. Verizon recommends logging employee activity, collating it, and analyzing what behaviors are acceptable for employees in different responsibilities. They suggest assigning a threshold for different elements, such as:
- Volume or amount of content transfer, such as e-mail attachments or uploads
- Resource-access patterns, such as log-on info or data repository touches
- Time-based activity patterns, such as daily and weekly habits
- Indications of job contribution, such as the amount of source code checked in by developers
- Time spent in activities indicative of job satisfaction or discontent
Once the information is collected and collated, system admins can investigate whether or not behaviors outside of the norm are indicators of potential insider threats or false positives.
Simple Solutions in Best Practices
Hindsight is always 20/20; it’s easy to discuss another company’s failures and how they could improve. However, there is a lot to learn from others’ mistakes. These are only two examples to show how insiders pose threats. Following best practices, such as requiring employees to use strong passwords, enabling two-factor authentication, locking out user accounts after a number of failed attempts, etc. can mitigate insider threats.