Insider activity—both malicious and simple error—accounts for a growing share of data breaches. Statistics are difficult to come by because requirements for reporting security incidents are not consistent across sectors. But some studies show they account for more than half of those breaches analyzed.
According to the Protenus Breach Barometer for February, a monthly analysis of reported breaches in the healthcare industry, 58 percent were related to insiders. This was divided about evenly between intentional wrongdoing and error. Outside hacking accounted for just 13 percent. The problem is not confined to any single industry. New York State Attorney General Eric T. Schneiderman reported in March that his office received a record number of data breach reports in 2016, nearly 1,300. Employee negligence and wrongdoing were blamed for 37 percent.
Because the insider doesn’t have to penetrate perimeter defenses, these breaches can be difficult to discover. According to the Protenus report, breaches reported in February were on average 478 days old at the time of discovery. In two instances, it was more than five years before breaches were discovered.
Dealing with the insider threat is difficult for any organization. But it is imperative, and you can guard against it with the right tools if know what to look for.
The Weakest Link
Organizations invest substantial resources in procuring, updating and securing the IT enterprise, but the human element is a wild card. “The weakest link for any organization is not its systems, but rather the human factor,” the latest Verizon Data Breach Digest concludes. The challenge of defending against the insider is compounded by the mistakes of well-meaning employees. “It is important to note that these incidents are not always the result of a malicious employee and often stem from carelessness and lack of awareness regarding sound IT protocol.”
Employees are on the network as legitimate users with legitimate credentials and user privileges, generally using the network in the ways that are intended. This can make it easy for a malicious insider to cover his or her tracks, and honest mistakes might not trigger alerts for the security staff.
Defending against this threat requires more than traditional perimeter defenses. Organizations need to be continually aware of who their privileged users are and what they can access, and the privileged accounts and credentials must be managed throughout their lifecycle. In one recently reported incident, a former systems administrator at a healthcare facility was charged with hacking the facility’s systems using administrative credentials that had not been revoked more than two years after he had resigned.
Defending against insider threats requires having visibility into your network and knowing what to look for.
From our experience in securing privileged accounts, we have identified behaviors and anomalies that help companies identify malicious or damaging behavior. In a recent blog we shared 10 commands that are frequently associated with risky behavior. As my colleague notes in the blog, “It’s always worth noting that no two situations are the same, so an action that may be harmless in one situation may create a major security issue in another.” But this list provides a starting point in monitoring your network for suspicious activity.
We also recently announced the latest release of the CyberArk Privileged Account Security Solution with advanced insider threat detection. A new data feed from CyberArk Privileged Session Manager to CyberArk Privileged Threat Analytics lets security teams receive customizable, prioritized alerts about possible high-risk privileged activity. You can watch suspicious sessions in progress and terminate malicious sessions, all from one platform.
Learn more about how CyberArk can help you manage privileged accounts and protect yourself against the growing insider threat.