The insider threat risk in the age of GDPR

Insider threat

The insider threat is a threat to an organisation’s security or data that comes from within. Such threats are usually attributed to employees or former employees, but may also arise from third parties.

A recent Bomgar report found that more than 65% of IT professionals don’t feel confident in their ability to identify insider threats. With the GDPR now in play and Ponemon’s latest report finding that the average insider threat incident costs organisations $8.76 million, this is a recipe for disaster.

Thankfully, there are ways to stop the insider threat from becoming a real issue. Below, five IT experts give their advice on how to defend against the different types of insider threat.

Nir Polak, CEO at Exabeam, gives a broad overview of the insider threat and how to defend against it.

He said: “There are actually two types of insider threats. One fits the common definition, i.e. a malicious insider who is purposely stealing data. The other type is the compromised insider, i.e. the insider whose credentials have been stolen and now a hacker is impersonating that insider on the network.

“Both types of insider threats can cause harm. In either case, one of the most formidable threats often comes from administrators with privileged credentials. This person’s job often requires access to sensitive systems, so it can be difficult to distinguish between normal sensitive access and risky sensitive access.

“To secure sensitive data, organisations need to start by asking a series of questions internally to clearly define policies and best practices: what are the policies we need? Who should be able to access which data?

“What access controls should be in place around information or systems? Policies can be as straightforward as ’employees shouldn’t have more access to confidential data than their current job requires’ and then implementing a program to review access on a regular basis. Too often employees accumulate access rights that aren’t revoked when they move to new projects.”

Jan Van Vliet, Head of EMEA at Digital Guardian goes into detail about the accidental insider.

He commented: “Employers must be cautious of the accidental insider threat. Employees present a great risk to internal data, even with data classification and access controls in place. IT teams must take a risk-based approach to their employees, and audit them on the level of risk that they present to company data.

“Some employees will present a greater risk than others. For example, employees with network administrator credentials pose a far higher risk than those with local user access. Employees in the finance department, on the other hand, may make a tempting target for cyber criminals due to the lucrative data that they process. By understanding which employees present a higher risk to data and tailoring defences accordingly, IT teams dramatically reduce the threat associated with insiders.”

Steve Armstrong, Regional Director UK, Ireland and South Africa at Bitglass, discusses the malicious insider.

He added: “Often described as malicious insiders, rogue employees are individuals that intentionally set out to steal company data; this may be done out of a desire for vengeance, profit, or even a competitor’s benefit.

“A high profile example can be found with the 2015 case of a Mercedes engineer that stole highly sensitive data in order to give it to his new employer, Ferrari. Unfortunately, insiders with malicious intent have an upper hand when it comes to data theft – they have legitimate credentials that will bypass the majority of their organisations’ security features.

“If such an individual holds a senior or administrative role, she or he may even have unfettered access to an organisation’s most sensitive data.

“Reactive tools that rely upon humans to manually analyse threats are incapable of protecting data in the high-speed era of the cloud. As such, automated security solutions are vital for businesses today.

“These kinds of tools employ machine learning so that they can identify malicious or suspicious behaviours as they take place; for example, when a user suddenly downloads an unusually large amount of data or accesses sensitive information outside of normal working hours. These tools use an analytical, real-time approach in order to uncover threatening behaviour and take corrective actions as needed.”

Steve Wainwright, Managing Director, EMEA at Skillsoft focuses on the compromised insider.

He said: “Social engineering attacks are a go-to method for hackers. They rely on unwitting, unsuspecting and, at times, careless employees. A recent PositiveTechnologies study found that more than one in ten employees fall for this type of attack. Social engineering attacks work by using psychological manipulation.

“Hackers use information gained on social media or the dark web to build a profile of a person, and then pose as someone they might know via email. They might then encourage their victim to click on a link or download a file that contains malware.

“The key to defending against this type of threat is education. By training employees to question and look out for suspicious emails – for example, checking if the sender email address looks odd and scanning the email for poor grammar and spelling – organisations can reduce the likelihood of successful attacks. Giving employees the skills and knowledge they need to identify potential attacks is the best way of mitigating the insider threat risk.”

Tom Harwood, Co-Founder and CPO at Aeriandi discusses the potent risk of insider threats in the contact centre.

He commented: “Contact centres are as vulnerable to human error as any other area of a business and accidental data leaks can result from negligence or poor data protection practices. The sensitivity of the contact centre role can also attract the attention of criminals who may try to engineer access to valuable customer data. There is the possibility – however unlikely – that individuals may choose to commit fraud.

“A traditionally high turnover of staff makes contact centres susceptible to disgruntled employees who may have insider knowledge into customer verification processes or security flaws. When customer payment data is taken over the phone, call archives are full of sensitive customer data such as payment details, passwords and security question answers. When these archives are leaked – either intentionally or by accident – criminals can use the data to commit a range of financial crimes, from online identity theft to major bank fraud.

“The best way for organisations to protect customer data from an insider threat is by making sure payment details never enter the contact centre environment from the outset. Implementing this system removes the potential for both malicious and non-malicious threats. With no card data being stored, processed or transmitted through the systems, criminals cannot steal sensitive data and employees are not required to manage customer payment details. Instead, payments are routed via a secure payment platform.

“This means that agents can see the transaction is taking place but crucially have no visibility of customer data. With no sensitive data taken, processed or stored on site, the insider threat is completely removed. Organisations can implement these systems while maintaining employee trust, as they protect the agents themselves from potential criminal coercion and human error. They can also be used as a way to boost customer confidence in the company’s data management capability.”

Luke Brown, VP EMEA at WinMagic explains the importance of encryption in defending against the insider threat.

He concluded: “To effectively protect against insider threats, whether it’s malicious or simply unplanned user error, sensitive data should only be viewable by authorised personnel. Encryption is often (and quite rightly) viewed as the last line of defence when it comes to data security.

“Authorising only those users who are meant to see the data – giving them the correct encryption keys and appropriate access rights to encrypted files, folders and containers – ensures anyone else is unable to access the data. But encryption needs a wide purview; data needs to be kept under lock and key no matter where it is – on an endpoint, data-centre or in the cloud.

“Users are the one constant, inevitable challenge in securing data, so taking a cross-platform, ubiquitous approach to encryption is the only answer.”

Ultimately, the insider threat is a real and present danger to organisations today. However, by being aware of the different types of insider threat, and having an understanding of how to stop sensitive data being leaked by each type, companies can stop insiders from causing security incidents.