Detect and Defend: 5 Tips for Guarding Against Insider Threats

Not every cybersecurity threat originates outside of the organization. External threats tend to receive more attention, but an IBM report shows that a breach caused by an insider threat can carry an even higher cost. In fact, malicious insider attacks cost an average of $4.99 million despite accounting for just 7% of breaches. That makes them the most expensive breach vector in the report. Accidental data leakage — when employees simply make mistakes and expose data — constitutes another 6% of breaches, with an average price tag of $4.28 million.

Successfully guarding against an insider threat requires a combination of tactics and technology. Here are five tips you can use to protect your organization.

‍

What is an insider threat?

An insider threat is any cybersecurity threat that starts with an authorized user, whether that’s a new hire, a C-suite executive, or even an external business partner. Both intentional and accidental misuse fall under the umbrella of the insider threat. Corporate espionage may be the most high-profile form of insider threat, but a contractor accidentally sharing confidential data also counts. So does a threat actor hiding behind stolen credentials. 

Here are three common insider threat examples:

• A malicious insider is anyone who uses their access for revenge or profit. These are often disgruntled current or former employees.
• A negligent insider is a legitimate user who accidentally leaves the business open to cyber attack. For example, if an employee loses a laptop containing financial data, they've become a negligent insider and created a vulnerability.
• A compromised insider refers to a threat actor who steals the credentials of a legitimate user and uses them to exploit a business.
• ‍

5 tactics for insider threat prevention

Develop data security policies

The first step in guarding against an insider threat is to design data security policies that protect against both negligence and misuse. Your policies should clearly define what qualifies as acceptable network behavior. They should also lay out security best practices that employees understand and find convenient to follow. Finally, your policies should include incident response protocols IT can follow to work quickly and effectively in the event of a breach.

Know your people

The Cybersecurity & Infrastructure Security Agency (CISA) lists knowing your employees as one of three key components of an insider threat management plan. You can kick-start that with a thorough vetting process built into your hiring workflow.

Once an employee is on board, educate them on your security policies. Comprehensive and engaging training can help ensure your entire workforce knows how to keep themselves and the organization safe. That means fewer compromised and negligent insiders.

Even the best-intentioned employees may grow lax over time. You can counteract that tendency through regular refresh training, which also gives you a chance to update employees on new policies, technologies, and attack vectors to look out for.

Identify and map critical assets

The second critical component of the CISA approach is to identify your most precious assets and set priorities around them. Start by taking inventory of your data. Note any storage location containing sensitive data and rate each according to how sensitive its data is. Next, survey your infrastructure and rate each piece based on how much damage an outage would cause.

Using the data and systems map you produce, evaluate how vulnerable your most critical data stores and systems are. Who can view each storage location? Who can manipulate your network settings? How easily, and with what authorization? The answers to these questions will help you design additional protections. They can also inform your response plans.

Detect and identify potential threats

To complete the CISA approach to insider threat management, you’ll need to establish a framework for detecting, identifying, assessing, and managing threats. That framework can be simplified further into two steps: monitoring behavior for suspicious activity and responding to potential threats.

Implementing a data loss prevention (DLP) solution can empower you to keep an eye on employee actions around the clock. Automated alerts can flag suspicious activity, such as late-night log-ins or large downloads. This form of insider threat detection puts you in a position to respond quickly and effectively.

Although the CISA recommends maintaining a dedicated team of workers to assess insider threats, it also emphasizes that there is no one-size-fits-all approach. You can employ user and entity behavior analytics (UEBA) to refine your alerts and automate more of the assessment process. This technology builds a behavioral profile for each user in your systems, reducing false positives and boosting the accuracy of your alerts.

Most DLP and UEBA solutions don’t extend into the cloud. If your teams use SaaS or PaaS solutions, you can apply the same protections using a cloud access security broker (CASB).

Manage threats

In most cases, insider threat management begins before your DLP flags an incident. You can use your DLP solution to set privilege and access controls to limit what each employee can see and manipulate. Workers need access to some sensitive information to do their jobs, but past that point, the less access they have, the less risk they pose.

Even with limited access, well-meaning employees can make mistakes that lead to data leakage. Your DLP should provide several ways to address that risk, starting with data classification. Depending on the sensitivity of the data, your DLP can apply different protections. For example, low-sensitivity documents might receive a wordmark or have their keywords redacted. Confidential data, meanwhile, can be automatically encrypted, minimizing the risk it poses before it leaves your system.

What if a user tries to download unencrypted data? Enterprise digital rights management (EDRM) can step in to apply encryption when the download starts.

‍

Stay safe with an SSE

The modern cybersecurity landscape is more complex than ever. Networks, clouds, and applications hold precious data and infrastructure, creating a vast attack surface with many unique security challenges. To cut through that complexity, Lookout designed a data-centric security service edge (SSE) solution that brings all your systems under one pane of glass. With more visibility and the same fine-tuned controls, your IT can keep your data safe — even from insider threats.

Curious about how Lookout SSE works? Join us for a free, hands-on lab that explores everything the solution offers. Click here to learn more.