Results from major data breach cases indicate that 65 to 70 percent of all security incidents arise from insider threats to system and data security. Many of company insiders whether they are employees, consultants, or partners who have access to critical systems and data can potentially harm a company by stealing the data including personal information of employees and customers for a variety of reasons.
Why Insiders Commit Criminal Acts
The reasons why some insiders may resort to criminal acts can be attributed to fraud drivers which include:
- capability or opportunity (access),
- rational or justification (disgruntled or self-deserving), and
- motive or incentive (revenge or financial gain).
These drivers are what allow insiders who lack integrity to steal from their employers and commit fraud or other malicious acts.
Many employees who steal data often right before they leave the company believe that they are entitled to the documents or whatever they are stealing because they have spent years working for the company, or they were responsible for the major product launches and innovations, or believe that they have not been compensated enough. These criminal acts are committed despite many safeguards that companies have put in place such as signed confidentiality agreements and other legal protection measures. The legal safeguards will not help companies to fully recover their losses following a data breach from an employee who most likely has financial problems. Some losses from a data breach can be in the millions financially speaking and a few companies never recover from a reputational damage.
What Companies Should Do
Some of the measures that will help companies counter insider threats to system and data security include:
- have a zero trust mindset,
- apply proper access controls,
- follow the principle of least privilege,
- grant access with just-in-time provisioning, and
- implement strong management of privileged accounts.
In a “zero trust” model, insiders and outsiders are treated as posing equal levels of risk. Instead of relying only on role permissions, companies monitor user behaviors and allow access based on perceived risks. Information contained within systems is segmented and as a user moves within the system, his or her behaviors generate a risk score. If the score is too high, the additional access requires re-authentication using multiple identifying factors.
Requiring multi-factor authentication or applying a much stronger authentication mechanism than just passwords to access systems is a great starting point in improving access controls. Other controls include continuous access monitoring and adjustments to align the level of security with company’s risk appetite.
Principle of Least Privilege
The principle of least privilege applies to Authorization of the identity and access management model which is a process that grants a user access to view, modify, share, or delete data in the designated systems. The principle of least privilege states that users must have the minimum access necessary to perform their job duties.
Just-In Time Provisioning
Just-in-time provisioning refers to a concept that a user must only have access when such access is needed to perform certain tasks. It implies that a user should never retain an access level that the user does not need. This concept is even more important when granted access is elevated and privileged which allows a user to make changes to critical system code, functionality, and data. Highly technical staff may even be able to commit fraud and clear their tracks with the highly elevated access which may give them access to activity logs.
Privileged Account Management
Privileged accounts are accounts with elevated access permission that allow the account owners to access the most restricted areas of the system and execute highly privileged tasks. Just like typical user accounts, privileged accounts also require authentication such as a password to access systems and perform tasks. Privileged accounts such as administrative accounts are often used by IT professionals to manage software, hardware, and databases.
The problem with admin and service accounts is that they are often shared, used across many systems, and may have weak or default passwords which make them great targets for corrupt insiders and hackers because they are easy to steal, used widely across organizations, and offer highly elevated access permissions. In addition, the passwords of these accounts are often not changed frequently which adds to the security risk given that they are shared and may have weak passwords. Some insiders who are aware of these accounts may take advantage and commit criminal acts. Another danger is that since these accounts are shared, tracking and apprehending the wrongdoer will not be possible. Privileged Account Management is a highly important process to manage these critical accounts and protect the company systems and data from unauthorized access.
Insiders may have their own unique reasons to commit an illegal act with their highly sensitive access or the account privileges of other employees and coworkers. The reasons for their criminal acts may include revenge, financial gain, and entitlement because they have been laid-off or fired, or they disagree with management, or they did not receive a salary raise or annual bonus they expected.
When corrupt insiders have the motive and necessary access, they can easily execute their plans. Without direct access to systems or knowledge of other employee credentials, they may not be able to execute their plans as quickly as they wish. Although companies may detect criminal acts, it is often too late, and damage is already done.
The best approach to manage insider threats to system and data security is for companies to incorporate as many concepts and best practices described in this article into their overall cybersecurity strategy.