Preventing and Responding to Insider Threats

There’s a saying that goes, “Cybersecurity would be easy if it weren’t for the employees.” Whether due to negligence, ignorance, or outright malice, insider attacks are a massive cybersecurity concern.

Remember Dennis from Jurassic Park?

You’ve seen the stats and heard the horror stories. But what should you DO about it? Here are some of the most important actions you can start taking today to protect against insider threats based on the 2019 Verizon Insider Threat Report.

Protect Privileged Accounts

Accounts with special access and permissions (like admin accounts) need extra protection.

• Minimize the number of privileged accounts to only what is absolutely necessary.
• Implement MFA and use strong passwords.
• Use admin accounts (with MFA) only when needed. For everyday functions, use standard user accounts.
• Only people who need admin access to do their jobs should have access to privileged accounts.
• Monitor privileged account sessions.
• Periodically audit accounts and account privileges.

Be Big Brother: Monitor Everything

Restrict and monitor access to critical parts of your network, including network devices, servers, and workstations, as well as key accounts, applications, and files.

Also, determine what is “normal” user behavior and network activity – then monitor and review logs for events that don’t fit the norm.

In addition:

• Create alerts for user account creation and modification.
• Set up alerts for abnormal authentication events, such as numerous password resets in brief periods and access from foreign sources.
• Review the logs of accounts accessing sensitive systems for any unusual account activity.
• Consider investing in a Security Information and Event Management (SIEM) solution to monitor, detect, and log suspicious user account activities.

Implement Multi-Factor Authentication

MFA authenticates users with two or more independent forms of identification. You should require it for VPN remote connections to the corporate environment. MFA should also be set up for accessing email from external sources.

Secure Those Mobile Devices

Whether you issue smartphones to employees or let them use their own, more and more corporate data is being accessed via mobile.

• Require users to enable screen locking with a complex passcode on all devices accessing company information.
• Enable encryption features for data-at-rest and data-in-motion.
• Perform security audits on all authorized mobile device apps.
• Talk with your users to uncover any unauthorized workarounds to company security methods.
• Use a Mobile Device Management (MDM) console to monitor, manage, and secure devices.

Keep Former Employees Out

When an employee leaves the company, IMMEDIATELY terminate their access by:

• Disabling user accounts and removing the accounts from Active Directory
• Terminating remote access
• Ending remote web, mobile, and other tool access
• Terminating email account access and removing them from any distribution and group lists

Train, Train, Train

Security awareness training should be the cornerstone of your insider threat prevention strategy. Your training program should:

• Have full management support
• Reinforce what is and isn’t acceptable user behavior
• Review cybersecurity policies covering BYOD, information security, and physical security
• Discuss how to spot social engineering attempts, how to recognize insider threats, and how to report suspected security concerns
• Explain the disciplinary consequences for unauthorized or malicious activity
• Teach the indicators of a potential insider threat, such as:
  • Consistently working outside normal hours when nobody is around
  • Repeatedly violating security protocols
  • Attempting to access data, systems, or facilities without a valid reason
  • Talking about stealing or destroying data
  • Asking others to access restricted information they’re not authorized to view
  • Undue curiosity about information not within their job scope

Training should start on the employee’s very first day as part of their onboarding. Conduct refresher training and assessments throughout the year.

Prepare for the Worst

If all else fails and you experience a successful insider attack, do you know what to do? That’s why you need an incident response (IR) plan.

The plan should include processes for the six IR phases:

1. Planning and preparation
2. Detection and validation
3. Containment and remediation
4. Collection and analysis
5. Remediation and recovery
6. Assessment and documentation

In addition, draft a communication plan detailing how and when IT should inform the appropriate stakeholders about insider incidents.

The Next Step

What we’ve covered here is a good start, but there’s a lot more a company can do to protect itself from insider threats.

Partnering with an experienced cybersecurity firm like Elevity can help you ensure you’ve covered all the bases – while taking some of the burden off your shoulders.

Let’s talk! Visit our Security page or contact us.

Additional Resources

8 Ways to Spot an Insider Threat (Dark Reading)

How to Protect Your Organization Against Insider Threats (TechRepublic)

Cybersecurity Regulations: 10 Ways to Encourage Employee Compliance (Forbes)