The Other Insider Threat
October 13, 2016 | Security and Risk | John Worrall
The trusted insider has always been a security risk – whether an executive with access to sensitive information or an administrator on an enterprise network. According to a recent report from the Ponemon Institute, 56 percent of security practitioners surveyed said that company insiders are the primary cause of security breaches and 72 percent were not confident they could control employee access to sensitive information.
We have written recently in our blog about the threat of malicious insiders. But it is not only the malicious you need to worry about – don’t underestimate the threats posed by human error and good intentions.
To err is human
According to IBM, human error was found to be a contributing factor in more than 95 percent of incidents investigated. The most common problems included system misconfiguration, poor patch management, using default settings and weak passwords, lost devices and sending sensitive data to the wrong e-mail address. This data is now two years old, but these examples of errors are still typical today.
Some of these problems are the result of the individual’s poor decision or a slip of the mouse. It could be something as simple as clicking “reply all” on an e-mail. Some, however, are the result of poor policy or poor management. System configurations and patch management should be matters of organizational policy and should be periodically assessed.
We will never rid ourselves completely of mistakes, but there is vast room for improvement.
The path to poor security is paved with good intentions
Most employees are hard-working and want to do a good job. In fact, many go out of their way to do their jobs efficiently, and that can pose a problem. It is not uncommon for employees to install unauthorized wireless access points to make it easier to connect to the network throughout the office. These points can improve productivity and worker satisfaction, but unknown and unmanaged by administrators, they also create security holes that can be used by attackers to gain access.
Studies consistently show that workers also regularly connect remotely to work networks using personal devices – mobile phones, tablets, laptops and home PCs. Too often this is done from unmanaged devices in violation of organizational policy. The workers mean well, but the result can be gaping holes in network defenses.
Workers often see security as a roadblock rather than an enabler. When this happens, they will find ways around policy in order to do their jobs more easily and become insider threats.
The unwitting accomplice
Honest insiders also are targeted by malicious outsiders through using social engineering. E-mail phishing (and spear-phishing to target high-value individuals) is one of the most common types of social engineering, but examples range from simple phone calls to carefully crafted Web sites hosting malicious content.
Insider threats do not stop with your employees. Contractors, business partners and links – both upstream and down – in your supply chain all present threats that can be used to compromise your network from the inside.
The first line of defense against the well-intentioned insider is awareness and training. All employees should be educated to understand the risks, organizational policies and the reasons for those policies. However, the basic rule in defending against both well-intentioned and malicious insiders is to address the threat, not the individual.
You can find more detailed information on detecting and reducing insider risks in the CyberArk ebook, “The Danger Within: Unmasking Insider Threats.” Addressing the insider threat requires a combination of proactive protection and threat detection including:
- Using least privilege access to limit potential accidental or intentional damage
- Controlling applications to reduce the risk of users becoming exploited
- Telling users that their actions will be monitored to deter unauthorized behavior
- Monitoring user and account activity to detect threats on the inside – be it from malicious or exploited insiders