The Lapsus$ group has been in the headlines recently for recruiting insiders to provide external access to steal sensitive data and execute ransomware. This is a new and growing trend organizations need to protect against. Security programs need to evolve to detect both internal and external threats as being part of the same attack campaign. Gurucul offers a flexible Insider Threat and Security Operations platform that determines compromised access privileges leveraged by threat actors.
98% of Companies are Vulnerable to Insider Threats
Yes, you read that right. Cybersecurity Insiders 2021 Insider Threat Survey Report found that most organizations are not confident in their ability to prevent a malicious insider attack or insider security breach. In fact, 31% of respondents can only detect insider threats after the data has left the organization.
Insider threats are the biggest cybersecurity problem for companies because they can cause the most damage. They have access to confidential company information, passwords to programs and tools, and know how your organization functions. When hiring on a new employee, you want to hire someone with integrity because they will have access to all these assets. But in a world where a company’s secrets can be in the hands of a competitor with the click of a download, integrity is not enough.
How Strong is Your Insider Threat Program?
Think of your insider threat program like the foundation of a house. You can have a beautiful exterior but if the interior is lacking a sturdy frame and foundation, then it will fall apart. Your employees make up the foundation of your company. Now, if one bolt comes loose, chances are the house won’t fall apart. But if we ignore it long enough, the bolt will eventually fall out, thus weakening the foundation. What does your security program look like on the inside? What steps are you taking to mitigate any weak links or potential cyber risks?
Privileged access is called “privileged” for a reason. So, what was this disgruntled ex-employee at Tesla doing with the access to make code changes to the manufacturing operating system? For a company as forward-thinking and progressive as Tesla, the 2018 data breach was shocking. Who knew a company as strong and successful as Tesla could have such a weak insider threat program?
Indicators Your Company is at Risk for an Insider Attack
1) Everyone has administrative privileges or access to information they do not need
Your sales representatives don’t need access to the data visualization tools or programming files used by your data scientists. In addition, your marketing department doesn’t need access to company financial records. Identify the most critical documents and assets at your company and take the steps necessary to add extra security authentication.
2) You’re not monitoring user and entity behavior in real time
A strong User and Entity Behavior Analytics (UEBA) platform uses machine learning to detect risky behavior anomalies. For example, if someone who logs in Monday through Friday at 9 AM suddenly logs in on Saturday night at 10 PM, there will be an alert. Behavior for devices and users is captured over time and anything that deviates from a baseline activity is considered unusual. Taking peer group analytics into consideration further determines whether this unusual behavior is not just anomalous but also risky. Finding an insider attack after-the-fact is not helpful. Detecting and preventing insider threats before data exfiltration is key.
3) You have no system in place for handling disgruntled, laid-off, and/or terminated employees
Your Human Resources department should have a plan in place for handling employee terminations, lay-off’s, and behavioral issues. For example, a former employee, who was laid off, is airing his grievances on the company’s social media channels. It’s exhausting and the comments are inappropriate. A non-disparagement agreement protects your company from the publication of derogatory and false statements. Similarly, a system for handling terminated or disciplined employees, like eliminating privileged access upon the first written warning, will limit the risky behavior from happening.
4) Employees don’t have insider threat awareness training
Above all, train employees to understand and report risky insider behavior. Is your coworker seeking access to proprietary or classified information on topics unrelated to their job duties? Is someone removing company or customer data from the premises for unauthorized reasons? Teach your employees that if they see something, say something.
5) You are not considering the third party insider threat
Imagine you have a third-party vendor helping you write technical content about your products. They work remotely and collaborate on projects with your internal team by accessing the main marketing folder in the cloud. Out of the 12 sub-folders, one contains the company’s annual marketing report for the previous year. The only sub-folder the vendor needs to access is one titled “Technical Writing Content”, yet they have access to them all. Your marketing results can be downloaded and traded with a competitor in the click of a button. Prevent third party data breaches by implementing a plan to limit the amount of information contractors and third parties get access to.
A Strong Insider Threat Program Predicts and Prevents Risky Behavior
In conclusion, integrity isn’t enough to protect your organization from a catastrophic insider attack. You need an effective insider threat program that encompasses predictive security analytics. Close the loopholes and weaknesses by implementing Gurucul’s UEBA technology. Get ahead of Insider Threats and request a demo of our platform today!
Watch The Webinar
Want more information? Watch this webinar for details on our best practice recommendations for implementing an Insider Threat Program based on our experience. With proven strategies and tactics, organizations can get to the point where they are able to remediate insider threats in real time or at least before data is exfiltrated.
On Demand Webinar: Best Practices for Implementing an Insider Threat Program