The threat of accidental or malicious employees compromising information security has been around ever since there were computer systems. But you would have thought by now that CISOs would have got a handle on it.
Not so, according to a new report from training and research firm the SANS Institute which I’ve just covered for Infosecurity Magazine.
It found that although three-quarters of IT security pros are concerned about the insider threat, a third have no means of defending against it and around a half either don’t know how much they’re spending on it or have no idea what the potential losses would be.
From JPMorgan to Chesapeake, the dangers of failing to properly mitigate internal risks are clear to see, but firms seem to be slow on the uptake.
According to Roy Duckles, EMEA Channel Director at Lieberman Software, it’s a lack of “visibility, accountability and auditability” which is to blame.
“There is an assumption that if a person or group have the ‘keys to the kingdom’ with full admin rights across an enterprise, that this is a viable and effective way to apply security policies,” he told me.
“Where most businesses fail is that due to the fact that this approach not only reduces security, but it makes it almost impossible to see who is changing what, on which systems, at what time, and the effect and risk that it has on a business.”
Firms therefore need to remove privileges where possible, introduce 2FA and prevent admins “knowing” which passwords get them into systems, he advised.
Sagie Dulce, security researcher at Imperva, told me by email that organisations lack “budget, training, technology and an incident response plan” for when a breach occurs.
He added:
“Obviously, the first things organizations must do is put some resources into the insider threat. The second thing organizations must do is prioritise: ask themselves what are the most important thing they are trying to protect?
Once they know what they are trying to protect they should consider:
- Is it Personal Information, emails, code etc?
- Is the data structured, unstructured?
- Is it found on databases, file shares?
- Who has access to this data and how (from special terminals, via VPN, 3rd party partners etc.)?”
Finally I asked David Chismon, security consultant at MWR InfoSecurity, who repeated the notion that employees should be given the minimum access necessary to do their jobs.
Investing in systems to spot insider abuse could also help protect organisations against targeted attacks which spearphish users and abuse their access, he argued.
“For example, organisations are able to detect when an employee’s account is used to try and access data it shouldn’t or if a large amount of data is being exfiltrated,” Chismon explained. “It doesn’t matter at that stage if it is the employee misusing their account or an external attacker who has compromised the network.”
