Imagine a data breach and you’ll likely picture it starting with a faceless hacker, maybe even a state-sponsored crime ring across the ocean. But one of the biggest security threats comes from insiders and it’s finally getting well-deserved attention.
Part of our recent survey of 500 senior IT leaders, conducted with SC Magazine, examined their attitudes toward threats: specifically what worried them the most and how they planned to handle it. While the ongoing industry dialogue on security often focuses on how to combat advanced persistent threats, where those threats arise is just as worth examining.
So it’s interesting that a full 62 percent of CISOs are most worried about employees and other insiders putting their network at risk – either accidentally or deliberately. To put that number in perspective, concern over partners and suppliers came in at 18 percent. The category titled “Others,” which includes attackers with criminal or political motives, came in at only 6 percent.
Obviously this has implications for the security dialogue. While traditionally organizations have focused on keeping attackers out of the network, teams are realizing the futility of this quest. Today’s thinking runs more along the lines that malicious actors will probably be in your network sooner or later, which shifts the focus to stopping them from stealing proprietary data.
So why do internal threats rank so high as a concern?
To start, these IT leaders aren’t necessarily envisioning employees who deliberately abuse their access privileges to steal data – though of course that’s always a possibility. A more common scenario is the employee or partner who unwittingly creates a security gap or falls for social engineering and other scams, giving their credentials to attackers. Security teams may be immersed in the criminal methodologies and the controls that can stop them, but most employees will be far less educated on cybercrime.
Case in point: the South Carolina Department of Revenue. Their website was hacked a few years ago when a contractor was duped by a social engineering tactic. More than three million social security numbers were stolen.
It only takes one employee to visit an infected website or fall for a phishing scam. Once their credentials are stolen, those attackers will be perceived an internal threat. By placing keyloggers within the network, even a password or passphrase change by the valid user is worthless – the keylogger will record the change and notify the attacker, continuing their access.
Another reason is the rise of Shadow IT. In the era of the app, when SaaS applications are designed to be user-friendly and let end users implement them without IT assistance, many IT teams lose oversight and control of important parts of their network. If those apps are employed without appropriate security controls, or if they violate regulatory compliance requirements, IT won’t know anything about it – opening up a host of potential vulnerabilities and entry points for hackers.
Obviously IT needs to control all access and authentication when it comes to applications and data. Even data living in the cloud has to interact with the corporate data, which means that authentication needs to happen somewhere else.
One solution: Adaptive Authentication, which contextual factors such as geo-location, IP addresses and device fingerprints. It’s the latter that helps companies admit established users while identifying attackers attempting to infiltrate the system with legitimate credentials. It can also identify a user who might inadvertently become a risk, something especially valuable for inside threats.
Once a valid user is authenticated, the technology stores the device’s unique characteristics, like HTTP headers, browser plug-ins and fonts or time zone. Going forward, it distinguishes between devices that match a stored footprint and devices that don’t, helping organizations block even those malicious actors who’ve obtained valid credentials. Users enjoy the simplicity and convenience of passwords while IT teams can effectively protect their most valuable data, both onsite and in the cloud.
In other words, the solutions are out there. Deploying Two-Factor Authentication at the edge of the VPN and implementing authentication and access controls throughout the network can reduce inside risk significantly; continuous authentication could also one day be used to continuously verify all of an insider’s activities on the network.
Inside risk deserves a high spot on any CISO’s risk management agenda. We live in a world where malicious actors often enter the network through internal assets. Any IT leader who fails address inside risk in their security program is leaving a side door unlocked.