After reading my previous post, you may think that greedy/evil/incompetent co-workers are a few steps away from causing data-breach related havoc. And that feeling in the pit of your stomach is the realisation that it might be your own actions (or indeed lack thereof) may have played a part.
When it comes to insider threat, we have to acknowledge that we all sit somewhere along the spectrum. Not only that, but the more senior we are and the more we are trusted with secrets, the greater the threat we are. Compromising a CEO is likely to prove much more valuable than compromising an entry-level administrator with little to no access or authority.
For a business to run at all, let alone effectively, people need access to systems and data. People must be authorised to make decisions. So how can you manage that trust, and what safeguards must you put in place?
First the people things:
- Make it known that you take insider threats seriously by making it part of regular cybersecurity awareness training. Lead by example and avoid blame tactics. Acknowledge that everyone is inherently a risk but with awareness and training the threat can be mitigated.
- Disgruntled employees are a threat, so look after employee mental health and wellbeing. 2020 has created chaos in people’s lives, and desperate times can cause people to make careless decisions that can lead to careless actions. If an employee values what they can steal from you more than they value their relationship with the organisation, they make take advantage of that.
- Review your policies, role profiles and procedures for granting and revoking access and do this regularly. Managers must know who they are giving access to and why, how and when to change it, and who to tell when people leave or change roles. It goes without question that you need to get it all in writing. I mean, if nothing else, it is a CYA move.
Then there are the IT things:
- Audit every user and their account. Confirm whether each user’s access is appropriate, especially when they have privileged or admin access. People should not use shared accounts to access sensitive resources unless those instances are recorded.
- Log, monitor and audit user actions, especially security events and actions by admin users. Logs should be stored in an non-“tamperable” format. Very importantly, they should be independently and regularly audited and not by people whose actions are being logged.
- Take steps to prevent data leakage. From banning USB storage devices through group policy to full blown Data Loss Prevention systems, you can make it more difficult for people to steal data and you set up an environment that makes it more obvious when they try.
- Monitor and control all remote access including mobile devices. You need to know about out of hours or inappropriate access, or multiple logons from different locations. Regularly review whether employees still do need remote access, especially now when people move from home working to office based and vice versa.
Lastly, because you should never be marking your own homework, speak to independent experts who can examine your security controls and configurations. TBG Security have developed their own methodology for identifying opportunities by which insiders can take advantage of lax security controls. A security engineer would be onboarded into your organisation as a “standard user” and make every effort to exfiltrate data and escalate their given privileges. You can read more about it here.
If maybe you’ve stumbled across information that you really shouldn’t be allowed to see, or discovered a button you can click that you’re pretty sure would cause havoc. Or if at some point you’ve realised that no one told IT about the person who left 6 months ago and still has a laptop and VPN access. Then you should get in touch with TBG Security asap.