by Dr. Eric Cole
I’ve been talking about insider threat for nearly 10 years and advocating the position that compromising an insider is a lot easier for an adversary than breaking into an organization from the outside. A study that I recently authored for SANS Institute (co-sponsored by Dtex Systems, Haystax Technology, and Rapid7) illustrates that attention to the problem of insider threat is still well below where it needs to be.
In particular, while 40% of survey respondents rate insider threat as the most damaging threat vector they face, nearly the same percentage (38%) say they don’t have an effective way to detect insider threat, and fewer than 20% don’t have a response plan in place to mitigate damage from an insider incident.
Yet, there are some relatively easy ways to protect the organization from both the malicious insider and the unintentional insider. Here are my top five:
- Control or eliminate email attachments and links – emails are the primary attack vectors in use today, and while the message itself isn’t dangerous, links and attachments are. Today’s security product vendors are offering real-time malware assessment of links and attachments that will quarantine a suspicious attachment or prevent connection to a dangerous link.
- Properly manage and control access to data and critical systems – role-based permission and the principle of least privilege are your friends. Work with your HR team and line of business managers to understand user roles and the types of application and data access they need to do their jobs. Then, assign only that access level, no more.
- Know where your data is – an important corollary to point 2 is knowing where mission-critical and sensitive data resides in the system so that you can lock it down with appropriate permissions. If you don’t know where it is, how can you protect it with the right level of access?
- Monitor employee behavior and look for anomalies – this can occur at many levels, including action monitoring software. It’s not intrusive to look for excessive data dumps or repeated attempts to look at files or directories that are not permitted – it’s good business. But it also makes sense to educate employees to be on the lookout for behavioral changes in their coworkers – what are the signs of financial or emotional distress that could lead to an attack on company systems…or worse.
- Raise security awareness – last but not least is the need for ongoing security awareness training that is an integral part of company culture – not an afterthought or a “checklist” item. A company that partners with employees to ensure security awareness will do better than one that forces compliance or just performs training to check a box.
Finally, getting back to the survey, I’ll leave you with this important point.
It is easy while evaluating attack vectors, researching competitors and gauging the threat from organized crime or foreign adversaries, to conclude that external attacks should be the primary focus of the defense. This conclusion would be wrong. The critical element is not the source of a threat, but it’s potential for damage. Evaluating threats from that perspective, it becomes obvious that although most attacks might come from outside the organization, the most serious damage is done with help from the inside.
About the Author
Dr. Eric Cole is CEO of Secure Anchor, former CTO of McAfee and Lockheed Martin, member of the Commission on Cyber Security for President Obama, the security advisor for Bill Gates and his family, and author of a new book, Online Danger: How to Protect Yourself and Your Loved Ones From the Evil Side of the Internet. For more information, please visit, www.onlinedanger.com and connect with Dr. Cole on Twitter, @drericcole.