Insider Threat Awareness Month 2020: The Experts Comment

Insider Threat Awareness Month 2020: The Experts Comment

September marks the beginning of Insider Threat Awareness Month 2020. Enterprises can’t ignore that some of the most pressing threats to their digital IT infrastructure might not come from without but from within. Whether it stems from actual malice or from simple ignorance, employees and third-parties could cause data breaches, data leaks, or business disruptions just as easily as any hacker. 

In fact, behavior-based security analytics provider Gurucul over 70 percent of all enterprises possess a vulnerability to insider threats. 40 percent of enterprise respondents said they can’t detect either an insider threat during or after it moves data outside the network. Another report from SolarWinds found nearly 62 percent of enterprise IT and non-IT-respondents cite user errors as their top cybersecurity insider threat.

To recognize Insider Threat Awareness Month 2020, we consulted with security experts from around the world. Here’s what they had to say. 

Insider Threat Awareness Month 2020: The Experts Comment

Orion Cassetto 

Orion Cassetto is Director of Product Marketing at Exabeam.

“Especially now, as entire workforces remain in remote working conditions, the danger of insider threats is as unmistakable as ever. It is critical for businesses to recognize that this form of threat from legitimate users has always been more elusive and harder to detect or prevent than traditional external threats. Additionally, while the most common insider threats are not usually motivated by malicious intent, and the damage they cause is unintentional, it is no less ominous to business viability.  

Given those known factors, irregular behavior detected at the system or network level can be an indicator of an insider threat. There are numerous indicators for insider threats, and knowing how to recognize the signals and keep track of dispersed or remote working employees is a major part of prevention and protection to the enterprise.

A combination of training, organizational alignment, and technology is the right approach. Specifically, behavioral analytics technology that tracks, collects and analyzes user and machine data to detect threats within an organization is essential. This advanced technology determines anomalous from normal behaviors. This is typically done by collecting data over a period of time to understand what normal user behavior looks like, then flagging behavior that does not fit that pattern. It can often spot unusual online behaviors – credential abuse, unusual access patterns, large data uploads – that are telltale signs of insider threats. More importantly, it can often spot these unusual behaviors among compromised insiders long before criminals have gained access to critical systems.”

Torsten George 

Torsten George is Cybersecurity Evangelist at Centrify.

“An insider threat can be a case of unwitting error, a disgruntled employee, someone within the organization looking to push the boundaries or make a quick buck, or a business partner who compromises security through negligence, misuse, or malicious access. So, what measures can organizations take to minimize their exposure to insider threats? 

The answer lies in limiting access and privilege. Many organizations grant too much privilege to their staff, contractors, and partners, where traditional perimeter security will not protect them from an insider accessing critical data. Businesses need to adjust their security strategies to match modern threats, moving away from sloppy password practices and unsecured privileged access and shifting to focus on administrative access controls based on a least privilege approach.

Businesses can take the following steps to address insider threats throughout the month of September and beyond:

  • Enforce segregation of duties: Separate duties, especially for sensitive or shared processes and tasks. This ensures that no individual can complete a single task alone. In this context, organizations can for example leverage so-called “access zones” to tie the rights a user has to specific resources.
  • Establish least privilege: Only give privileged users just enough access to resources, just-in-time to do the job required. Leave zero standing privileges to be exploited.
  • Implement access request and approval workflows: Govern privilege elevation with self-service access requests and multi-level approvals, to capture who approved access and the context associated with the request.
  • Leverage user and entity behavior analytics based on machine-learning technology to monitor privileged user behaviors: This will help identify abnormal and high-risk activity, as well as can trigger real-time alerts or removal of privileges to stop threat actors, whether they are internal or external threats.”

Gijsbert Janssen van Doorn

Gijsbert Janssen van Doorn is Director of Technical Marketing at Zerto

“2020 has brought significant changes to the workplace, including the wide-spread shift to a remote working environment for many companies.

So, it is not surprising that cybercriminals are taking advantage by executing ransomware attacks amidst this pandemic, as many organizations, especially those in healthcare or public sector, face enormous pressures to keep systems up and running. The likelihood of a payout increases with the urgency of the need for patient/customer data to be secure—serving to explain the 72 percent increase in ransomware attacks during COVID-19 and the 50% increase in mobile vulnerabilities.

Cybercriminals love to exploit vulnerabilities and  individual employees are proving to be particularly vulnerable. These ‘insider threats’ are often unintentional and non-malicious. It’s just employees who unknowingly open phishing emails or click on the wrong ad, etc. When these bad actors get in, they can then wreak havoc on an organizations’ critical data and systems, and levy large financial costs and possible damage to your brand.

Protecting against the threat of ransomware requires ensuring employees know how to spot ransomware when they see it, but it also requires rethinking legacy data backup strategies to create a resilient IT for when employees do get fooled. By investing in continuous data protection for continuous availability, organizations can recover data files within seconds, and not worry about paying ransoms.

As the future of work remains uncertain, we anticipate more institutions increasing their cyber resilience through adoption of IT resilience solutions that can quickly and effectively provide an ability to recover after an attack. Afterall, in this game of cat-and-mouse, it is not a matter of if, but when your organization may be attacked. Once you’ve been compromised, prevention is no longer an option. The best way to respond is to have a solid plan in place, be able to quickly recover your information without paying a ransom, and get your organization up and running as swiftly and painlessly as possible.”

Thanks to our security experts for their time and expertise during Insider Threat Awareness Month 2020. To learn more, check out our Identity Management Buyer’s Guide.

Ben Canner

Ben Canner is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large. He holds a Bachelor of Arts Degree in English from Clark University in Worcester, MA. He previously worked as a corporate blogger and ghost writer. You can reach him via Twitter and LinkedIn.
Ben Canner