When people think about cyber security the image that most often comes to mind is of the hacker, sitting outside the firewall attacking an organization’s valuable assets. These hackers certainly exist, and my previous two blogs discussed some common threats that you might face. In Protect your organization from advanced persistent threats and Protect your organization from ransomware, I described the most common types of attack and explained how you should approach protecting your organization from them. I explained why you need a balance of people, process and technology controls, and why you should balance investment in controls that protect, detect and correct. In this blog I’m going to look at the threat from insiders. What happens when the threat comes from your staff or your contractors? What happens when it comes from suppliers who have been given access to your network – and potentially to your most sensitive information? Can the same controls work to protect you from people you trust, or do you need to take a different approach?
The first thing to understand is that insider threats don’t just come from dishonest people who want to attack your assets. You do need to consider the threat from dishonest people, but there are also two other sources of insider threat that you need to consider.
- Carelessness. Many organizations have suffered major security breaches because employees failed to take appropriate care when handling sensitive information. One UK government department lost a non-encrypted CD that contained personal details of 25 million people. This resulted in major embarrassment, including the resignation of a senior manager. There have been many similar occurrences caused by lost laptops, USB drives and other careless incidents.
- Extended supply chains. Some breaches have been caused by weaknesses in extended supply chains. If suppliers have access to your network then an attacker who compromises their systems can use them to attack you from inside your network. One well-known example of this was when point of sales terminals at Target were breached. The hackers originally compromised the company that serviced the fridges at Target stores, and then used their access to mount an attack on Target. This breach resulted in credit card details of at least 40 million people being leaked, which cost Target nearly $150 million (and possibly much more according to some estimates).
So what kind of controls do you need to protect your valuable information from dishonest and careless staff and contractors, and extended supply chains? I’m sure you won’t be surprised to learn that the answer is still to aim for a good balance of people, process and technology controls, as well as a good balance of controls to protect, detect and correct incidents when they do occur. When dealing with insider threats the balance does need to change a bit, the people controls become much more important, but you still need the process and technology controls. Similarly a focus on detection and correction becomes more important, but again you need to get the protection part right too.
Some of the most important controls that you need to consider in these scenarios include:
- Access control. Don’t just allow everybody in the organization to have access to all your information. Identify all the information you own, make sure you know who should be able to access which information, and then provide suitable access controls to enforce those access rules. You also need to make sure that you update your access controls when anybody changes roles, and especially when they leave the organization.
- Cryptography. If you must transport sensitive data, either across a network or on removable media, then make sure it is encrypted, and make sure that you manage your encryption keys securely. In many cases data at rest in your data center should also be encrypted to protect it from inappropriate access. This can help to protect you from carelessness, can prevent system administrators from accessing confidential data and can make it extremely hard for hackers to access the data.
- Segregation of duties. This control makes it harder for people to commit fraud, and reduces the chance of mistakes, by dividing sensitive tasks into separate activities carried out by different people. For example you could have a process that requires payments above a certain threshold to be initiated by one person and then approved by another.
- Awareness training. This is probably the most important control, and one of the hardest to get right. How can you ensure that people take care when handling your information? What can be done to stop people copying millions of confidential details to a CD and sending it by post? The answer is repeated, focused, relevant and impactful training. Use many different styles and approaches and keep reinforcing the message. This won’t prevent all carelessness, but it can certainly help.
- Recruitment and pre-employment checks. Include cyber security knowledge and understanding in every job description, and make sure that people show the right level of awareness when you interview them. Actually follow up references, check that claimed certifications really were awarded and that other claims in CVs are true. Somebody who hasn’t been completely honest at this stage of their relationship with you can probably not be trusted to have access to your valuable data.
- Establish codes of connection with suppliers. A Code of Connection (CoCo) is a set of security standards that the third party agrees to follow, including your right to audit and impose sanctions for failure to comply. This can help to ensure that the third party is implementing sufficient security for your needs.
Even if you implement all of these controls, they will not provide all the protection you need. You also need to monitor the behavior of all your users and suppliers, to detect early signs of risky behavior. This can enable you to intervene before a breach, or in the worst case to detect a breach very early and take corrective action before it becomes expensive. You should be able to detect when a user who should just access one or two sensitive records at a time downloads hundreds of records, or when a supplier who should only have access to your payments system for a few minutes every month is logged in for hours at a time. To enable this data collection and analytics you need a tool like Nexthink that can collect data from a wide variety of sources and perform the analytics needed to recognize risks in real time.
Early detection of risky behavior is the best defense against insider threats, whether they come from staff, contractors or suppliers, and whether they are deliberate or due to carelessness. If you know what’s happening then you’re in a position to do something about it, if you don’t know what your users are doing then you will never be able to protect your valuable assets.