What exactly is an insider threat? Concerns about this particular risk vector have risen throughout this decade, especially as the cost of data breaches has surged over the same time period. According to numbers from the Ponemon Institute and IBM, the average of such an incident now costs enterprises between $3.8 and $4 million apiece.
Insider Threats and Data Breaches
A separate study, the “2015 Vormetric Insider Threat Report,” identified how insiders in particular can precipitate these costly breaches:
- Eighty-nine percent of respondents reported being concerned about their vulnerabilities to insider threats.
- More than 90 percent stated that they would either maintain or increase their security spending in the coming year to guard against these risks and others.
- Privileged users (cited by 55 percent) were seen as by far the biggest insider risk category, followed by contractors and service providers and finally business partners.
In the real world, an insider, whether acting deliberately or accidentally, could harm an enterprise in several ways. The possibilities include the theft and exfiltration of sensitive data, the “orphaning” of privileged accounts that were never properly deprovisioned, the loss (or absence) of proper authentication credentials and the growing phenomenon of “shadow IT.” IBM has projected that this mix of malicious and accidental behaviors was behind 60 percent of the attacks it documented in 2015.
Let’s break each of these actions down in a bit more detail to see the levels of risk enterprises can expect from insider threats:
Accenture estimated in early 2016 that over two-thirds of all companies see data theft due to insiders, compared to only 57 percent that had experienced the same at the hands of external actors. How does such theft actually occur, though?
Start with employee access to databases, file servers and cloud computing environments, as well as everyday tools such as email. Without monitoring solutions in place, it is often easy for someone to paste privileged content into a message and send it outside the organization.
Similarly, the spread of cloud applications has made it easier than ever to transmit information to external infrastructures. Cloud servers may be managed by third parties, grant access to other applications and be located in countries with strict rules about data sovereignty and interception.
Shadow IT is simply the term for the use of applications (usually cloud-based ones) without the approval of the IT department. Anything from a social network to a document collaboration tool could conceivably fit the bill. Shadow IT may be up to 10 times the size of known cloud usage, according to Netskope.
It can be challenging to deal with shadow IT, since it may be done in secret and may also arise from other organization conflicts between IT and line-of-business personnel. Your IT team may not be able to implement and enforce the tight access controls that have been applied to approved applications.
When someone leaves an organization, his or her account should be quickly deactivated. This helps avoid data theft on the way out by disgruntled individuals and also greatly reduces your risk of exposure.
Administrator accounts in particular require prompt attention. Credentials are sometimes shared between them, meaning that deprovisioning and password changes are essential to protecting the sensitive data and functions that admins have easy access to.
If there is one thread that runs through all of these insider threat pitfalls, it is the set of problems created by improper or compromised authentication measures. The Verizon Data Breaches Investigation Report 2016 revealed that 63 percent of the breaches it investigated were caused by weak, default or stolen passwords.
Moreover, the lack of specific mechanisms such as two-factor authentication (2FA) as well as general identity context means that it is in too many cases relatively easy for someone to gain unauthorized access. Once that is accomplished, data can be stolen and exfiltrated from the organization.
What Are the Best Solutions to Insider Threats?
Minimizing the impact of insider threats requires a modern identity-based security framework that can automatically adapt and respond to the numerous risks created by insiders. At the same time, an effective solution must also not interfere with normal user behavior and preserve the functionality of important backend applications.
There is also the issue of having to secure a growing number of domains – cloud and mobile, in addition to physical and logical. Effective authentication in all of these areas can dramatically reduce the privilege abuse, unauthorized logins and data exfiltration that are all hallmarks of the insider threat.
There are many useful options here. Possibilities include one-time passwords as well as smartcards that can create public key infrastructure-based digital signatures. Authentication solutions can also be extended to your SaaS platforms and VPNs.
Regardless of the particular technology that ends up being right for your organization, strengthening your identity ecosystem with context and additional factors is a powerful defense against insider threats. This category of risk is not going away anytime soon, which makes it important to have a strategy beyond just using complex passwords or banning entire classes of applications.