image sourceOffice of War Information. "Listen! The enemy may be talking. Don't talk! The enemy may be listening.." 15 September 1945. U.S. National Archives and Records.

Minimize the Security Risk of Insider Threats to Your Business

February 22, 2012

Insider threats aren't new.

Talking about technology security risks in your business may conjure up thoughts of perimeter security for your server to protect it from outside attack. While that’s certainly part of any good security plan, focusing too much on outside threats may leave your business vulnerable to another pervasive problem: insider threats.

Your business technology is most vulnerable when it’s accessed by the very people you want (and need) to work with it. According to a 2010 Verizon security report, 85% of the data breaches involving insiders were by regular employees and end-users. The report contains this sobering anecdote about a U.S. bank:

The intruders started by stealing legitimate credentials to the bank’s ACH wire transfer portal belonging to three separate internal employees, who all received an e-mail from the “FDIC” on a Friday afternoon. The employees noted that the attached PDF file wouldn’t open correctly. The following Monday, several million dollars were wired out of the bank using the three employees’ access credentials.

Insider threats are real. What can your business do to protect against them?

User Roles & Permissions

Review how much access you grant basic employees. Is the default to grant them permission to information and/or systems they rarely need or use? That’s a security risk, and not just of the Wikileaks-type variety. If an employee’s password is compromised, the amount of access that password provides could make all the difference in how much your business IT may be attacked. As an article on SC Magazine explained,

It’s not just malicious malcontents intent on destroying the system who can cause havoc, but also the negligent, misinformed and downright nosey who can compromise sensitive data. In most situations it’s more often than not the case that such people have way too much privilege access – admin rights on the desktop, root password on server – for the role they are required to play.

According to the same Verizon report, inside attacks often involve “payment card data, bank account numbers, and personal information.” That’s bad new for your customers, and a public relations nightmare to boot. Here are some tips for monitoring user permissions:

  • Knows who has access to the most sensitive information, and monitor how that data is used.
  • Make sure your technology has safe guards in place against excessive access to secure systems.
  • Keep permissions up-to-date with the latest personnel changes.

No Phishing

As explained in our earlier posts on malware, phishing is a huge problem. Scammers may pose as your own business security team, and they’re not just using email. Social media and mobile apps are becoming infected. A user action as seemingly benign as accessing a public wireless network with a company device may open your business up to attack.

These attacks have only grown more sophisticated in recent years, with the spread of so-called “spear phishing,” in which an individual is specifically targeted. Spear phishers trawl the web for information an employee has freely given out (such as through a social media account), then craft a legitimate appearing message to send to that person. The message may claim to be from the individual’s bank, employer, or even the government, and may lead to a website that mimics the entity’s login screen.

Protecting your employees from phishing is difficult, but not impossible. It involves a combination of user education and awareness, and security measures in place to limit access to high-risk web areas. It’s important for your plan to be two-fold because simply locking technology down may no help if there’s not employee buy in (ZDNet).

International Information Systems Security Certification Consortium (ISC²) executive director Hord Tipton has this advice on how to raise security awareness in your users:

... use real examples, especially from high profile cases, such as the RSA breach. In that case, four employees were targeted with an email attachment purporting to be a recruitment spreadsheet. Show people what they are up against and do it once a month, not once a year.

Conclusion

With insider threats, as with all security risks, the important thing is to be aware of the problem and have a plan to address it. Your business may wish to have a company perform an outside audit to determine where you’re vulnerable and what you problems you need to address. We at Cii Technical Services would be glad to help on that front.

To test your knowledge of the issue, and learn more about the facts surrounding it, try taking Network World’s Security quiz.