Insider threats comprise some of the most challenging cybersecurity terrain for businesses. Insider threats generally fall into one of two “buckets.”
There’s the well-meaning but negligent employee who leaves an unsecured laptop on the train, opens a WiFi hotspot in the break room, or gets duped by a socially-engineered phishing email. These well-meaning, but yet costly incidents, make up about 62 percent of insider incidents, according to a 2020 report from the Ponemon Institute.
Twenty-three percent of insider cybersecurity issues, on the other hand, are malicious. Whether the breach is intentional or ham-handed, the result is often the same: lost money, lost trust, and tarnished reputations.
Smarter MSP caught up with Dr. Doug Rausch, the director of cybersecurity at Bellevue University in Nebraska, to glean his insights into containing, contextualizing, and identifying insider threats. Rausch has spent 30 years working in defense and commercial cybersecurity, so his vantage point covers multiple angles.
Rare but effective
While insider incidents are more rate than outside attacks, Rausch says that those are often the most costly and difficult to catch. As such, when performing a risk analysis of an organization, employee behavior and credentials must be scrutinized. The Ponemon Institute report puts the per incident cost of a malicious insider at $755,760, behind only credential theft.
“Generally, a malicious insider is a relatively low probability, but the impact is so incredibly high, and that is why it concerns us,” Rausch emphasizes. That insider could be a system administrator or someone else who has all the elevated credentials.
“They are the individual who won’t stand out in terms of activity because they are using account access they have been given. That is the one we are most concerned about,” Rausch says.
While no industry is immune, Rausch says healthcare verticals and manufacturing are most at risk. Banks and brokerages, Rausch advises, have been leading the way in creating solid cybersecurity programs, but there’s real money to be made by hackers from peddling PHI, patents, and other intellectual property that can be sold for cash on the dark web.
Sometimes the most significant threats are hybrid threats which are when an insider pairs up with an outsider. Organized crime can be adept at identifying insider individuals who may have the incentive and desire to cause trouble, without the know-how.
“Someone inside the organization may have access without the knowledge, tools, or market to sell the data, but organized crime can team up and provide the necessary tools,” Rausch states.
The big driver behind any cybercrim, Rausch continues, is financial gain. In an era when data is the same as currency, hackers will view any organization as a veritable bank.
The role of COVID
Covid has played a role in almost everything over the past year, including driving insider threats, whether malicious or accidental.
“What has happened with COVID is that all of the organizations had to shift their footing rapidly,” Rausch says, and this resulted in ad hoc, perhaps not thoroughly thought out systems.
“You have essentially elevated the privileges of a lot of individuals just to get their job done, and that is a huge problem,” Rausch stresses. He adds that the home users often have a VPN from their system that goes back to the company and uses that company’s gateway to do business, creating an additional vector for hackers to exploit.
“Businesses have to look at how you are going to roll some of this back,” Rausch advises, which will include implementing what he calls back-to-basics “Security 101.” Part of that involves examining privileges.
“You really do have to take a hard look at your workforce and determine who needs to have access to do what, and it is not the easiest thing in the world,” Rausch points out, adding that the bottom line is that remote work is here to stay and we have to find a way to get the remote workforce as well-secured as when workers were inside corporate headquarters.
“That has got to be done,” Rausch says. He adds that we’ll see a lot more implementation of zero trust systems, which is easy in concept but more challenging in practice.
Another avenue MSPs, CISOS, and other security stakeholders need to explore is investing some time and resources in behavioral analytics to combat insider incidents.
“This is an aspect that I would be putting a focus on,” Rausch states. Is an employee suddenly spending a lot of time online late at night? Downloading a lot of files? Exploring company bank accounts?
The key is that all of these may also involve legitimate work, so Rausch advises creating a proper usage and behavioral profile to flag actions that might be out of the norm. Without a baseline to go by, there’s nothing to “catch.” So there is some considerable prep work that has to be done before launching an analytics program.
Another aspect of post-pandemic cybersecurity, Rausch says, is perhaps doing away with some previously one-person tasks altogether. Rausch compares it to a time in earlier eras when businesses required two signatures on paper checks.
“Some positions you have to look at, and maybe it can’t be a single individual anymore,” Rausch suggests. Businesses could implement requirements that mandate two employees access certain information or financials.
All of this has to be done against the backdrop of trust. No one wants to work in an atmosphere of distrust where everyone feels like everyone is watching everyone else. Nor, Rausch says, do you want to be so many extra controls that employees can’t do their jobs.
It’s a continuous balancing act that promises only to get more challenging as COVID recedes.
Photo: Natwick / Shutterstock
