Internal threat: How to reduce and eliminate it in your company
It’s an uncomfortable thought but one that needs to be addressed: companies face a high amount of risk from inside actors, and policies need to be put in place that take that at face value and set up the appropriate guardrails.
The ever-present internal threat risk
An internal bad actor is the worst of all worlds – they have proprietary system access outside hackers only dream of and know how to maneuver around the culture without getting caught. But intentional baddies aren’t the only ones to beware of: More often than not, uninformed or careless employee behaviors add unintended risks to a company’s assets. Because they are on the inside, those types of threats can be exponentially more harmful than their external counterparts and require the most proactive security safeguards.
Today’s landscape is especially susceptible to creative new ways that company insiders can do an unforeseen amount of damage. As the post-pandemic world experiences a surge of job mobility, these workers on the move can accidentally bring their old work IP with them when transferring to a different company. Increasing the separation between employee and employer also increases the likelihood of hiring a scammer or someone who works for an organization that would benefit from the criminal exposure of a company’s data.
Key points for cutting down internal threats
Reducing or eliminating insider threat risks comes down to performing well in a few key areas:
- Know what’s going on in your internal landscape. Monitor for threats and insist on full visibility across the inner workings of your enterprise. Look for a tool that works across multiple industries and can granularly monitor internal data while staying on the right side of industry-specific compliance requirements. This solution should be able to spot malicious behavioral patterns and alert you when risky user behavior is underway. It should also bring to light:
- Which users work with large amounts of sensitive data regularly?What business flows need to be supported?Which groups need access to a certain data subset?What happens to data after it is accessed?
- Which users and applications retain copies of the data?
- Know the indicators of insider threats. Once you know how data is being used, you can know how to set your policies and triggers. The most important indicator of an insider threat is, after all, the violation of an organization’s data policies. Another common red flag is anomalous behavior, and other more subtle techniques such as saving data to a zip file, changing file extensions, or encrypting assets.
- Get away from traditional methods. There are some risks that come with legacy Insider Risk Management (IRM) solutions, and those limitations are where modern-day threats seep though. As a Carnegie-Mellon CyLab study states, “Insider risk management activities in organizations typically focus almost exclusively on individual behaviors rather than also considering the context in which that behavior occurs.” Historically, IRM tools have taken a passive approach, scanning for anomalies and alerting you when something arises. However, they fall short as they can’t differentiate the data being ‘mishandled’ and end up generating alerts for non-threatening activity while missing other legitimate risks.
- Go beyond Data Loss Prevention (DLP). While they can adequately analyze data, DLP solutions are limited to information that fits a predetermined format, such as SSNs or credit card numbers. This makes it difficult to protect intellectual property. They also fall into the camp of “traditional solutions”, meaning they provide alerts (but without context) and put all the heavy lifting of threat response on the manual processes of the team itself.
- Defend with a good offense. CISA notes that “proactively managing insider threats can stop the trajectory or change the course of events from a harmful outcome to an effective mitigation.” To this end, solutions need to do more than detect internal bad: they need to stop it. While beneficial, users with traditional ‘detection only’ IRM platforms can “struggle to successfully implement and operationalize the tool as part of their data security program.” Keep in mind that multiple tools for multiple reasons create siloes and added work.
Digging Into Data Detection and Response
If your security team is looking to optimize resources, a Data Detection and Response (DDR) platform is a great way to not only detect but defend against real-time internal threats. “This new data-centric approach,” states VentureBeat, “provides instant visibility into data stores and real-time protection and response capabilities…some say it is set to reinvent the cybersecurity space”.
New threats require new methodologies, and enterprises look to AI, automation, and autonomous technology to provide them. Take EDR and XDR, for example. DDR defends in the same proactive way, not only detecting but responding to insider threats in real-time and giving your data-driven context so you know which anomalous behavior is worth further investigation (and which is an intern accessing an old Myspace).
Thanks to the rise of autonomous security measures like DDR, organizations can move from passively knowing their inside threats to proactively preventing them.