The insidious insider threat

Data breaches are problematic, and many businesses, corporations, and organizations work diligently to protect their confidential information from outside threats.

But insiders may pose a more serious threat that these institutions aren’t prepared to handle. What kind of threat are we talking about? Well, to be clear, there are two main categories: accidental or malicious.

How can you tell the difference? You probably can’t. An accidental or malicious insider can be a co-worker, an executive, or a third-party infiltrator.

Here’s how this shakes out and how to protect sensitive information.

Accidental

Negligent insiders, all the way up to senior management, can pose a serious threat to exposing confidential information. Not because they intend to, but because they have access to sensitive data and don’t use security protocols effectively. Or, as Mike Walstrom, vice president of information services and CISO at Capella University says, “The most common insider threats stem from a lack of vigilance against third parties, inadvertent exposure of personal information to unintended parties, and unauthorized use of confidential company information. The approach used most often to gain access is through phishing emails designed to gain credentials or encourage financial transactions by masquerading as an internal person or trusted third party.”

Accidental insider threats also include:

• Sending unencrypted information by email
• Sending confidential information to personal email
• Not changing passwords regularly
• Opening phishing emails
• Clicking on a link in a spam email
• Sending sensitive files to the wrong person
• Bringing an infected or unapproved device to the office

This is just the short list, but probably the most common.

Malicious

Malice, a less common threat, comes from employees or ex-employees with a grudge, or insiders who align with third parties for personal or financial gain. These individuals may take advantage of their access to steal confidential company intellectual property; nonpublic, forward-looking financial details; strategic plans; or personal consumer information (such as credit card numbers) with the goal of using the information for a future position or to profit from insider trading. Other malicious insiders, especially in IT groups, may use privileged access to disrupt systems or cause other harm.

Prepare and protect

The best way to mitigate inadvertent and malicious insider threats is with a multilayered approach, according to Walstrom. For inadvertent threats, he says, social engineering efforts pose the biggest risk. Tools such as spam blockers, URL filtering and rewriting, DNS redirection, and malware prevention and activity detection at the client and network levels can minimize the impact of these threats. It’s also important to have a program to educate end users to detect social engineering efforts and increase vigilance and skepticism. “Configurations of systems need to be well-hardened network defenses to minimize exposure and maximize detection of attackers’ tools,” he says. “Patch vulnerabilities promptly or mitigate through layered protection.”

In the case of malicious insiders, it’s important to monitor access to external systems where data may be exfiltrated. Walstrom recommends segregating duties to ensure that individuals have oversight or review of actions, and manage privileged access so that no single person holds all the controls for key systems or data. “It’s important to be aware of employee concerns, and handle employee performance issues effectively,” he says.

“With any program,” Walstrom adds, “it’s also essential to recognize that these defenses can fail.” He suggests preparing an “effective and swift companywide response to minimize the impact of a mistake or successful attack and allow for iterative improvement of defense ad detection.”