Insider threats can pose a serious risk to security. Yet out of approximately 250 professionals surveyed by Varonis1, as many as 24% have no breach detection capabilities and 40% are not able to detect when files containing sensitive data are created or accessed. Why are so many enterprises unprepared when they know their intellectual property is at risk every single day of being exposed or stolen by the very same people who are supposed to protect it?
It’s certainly no small feat to develop an insider threat program, which is why it’s imperative to establish, enforce, and continually train employees on the policies and procedures. However, even with best practices in place, breakdowns can still occur from the onset for two main reasons. The first is that many organizations are not aware of the impact the human aspect can have on such a program. If the program is not implemented correctly it can lead to a lack of serious participation from employees, or even resistance. The second is that IT leaders and executives aren’t sure what additional technologies they should consider, and which technologies they currently have that would fit into an insider threat program.
In this article, we’ll discuss why the human side of an insider threat program is a key part to its success and why it must be addressed before you can get to the fun part of evaluating and deploying cybersecurity technologies. Once you address these two focus areas, you’ll truly be on your way to mitigating insider threats and preventing security breaches.
The human side
It’s crucial to initiate your insider threat program by carefully considering how the policies and user behavior monitoring will be perceived by your employees. An insider threat program is intrusive by nature, especially for those who have access to sensitive company information, such as human resource files and financial material or those who have access to critical systems. The people in these positions usually must go through enhanced screening and background checks, as well as additional, ongoing monitoring, and are held to a higher standard than their peers. Some companies even require employees in these positions to notify their supervisor if they are involved in a lawsuit, file for bankruptcy, divorce their spouse, or travel abroad. Personal factors can raise red flags and potentially exclude employees from accessing certain data or systems. It’s only natural for people to want to keep that sort of information private, so being mandated to divulge it could cause them to feel annoyed, distressed, or embarrassed, possibly leading to poor morale or even a discrimination lawsuit. But there is a way to help such a program and its intimidating rules be received in a more positive way.
In order for an insider threat program to have a fighting chance at being successful, the company needs to have insight into personal factors that could help them determine if there are risks associated with providing individuals access to data and systems. Therefore, when launching an insider threat program, it’s extremely important to ensure your whole organization understands the objective, and is prepared for the changes that will take place as it’s being implemented. That way, employees can have a better appreciation for how important they are to the overall security of the company, and as a result, will more likely to be on board with the new program. This is especially true of executives and upper-level managers who will need to demonstrate support for this program while being monitored more carefully due to their authority to access highly sensitive and confidential information. It’s also the people in the high-ranking positions who are responsible for getting all stakeholders involved in the new program from HR, to compliance to physical security to legal. That approach is key to giving an insider threat program the power to protect the company, its systems, information, and employees as well.
With open communication about the new security initiative and the processes that support it, you have a much better chance at developing a successful insider threat program. Involvement from human resources is a must because they can provide customized training based on a job position’s risk level. Legal staff members can help streamline the transition to new procedures and policies such as, “If you see something, say something,” which applies to an insider threat program too.
The tech side
Now that you’ve addressed the various ways in which the human factor may influence your insider threat program, you can begin to focus on what might be the easier part for once – the technology. Let’s explore the types of solutions that have helped our customers strengthen their insider threat programs and overall security posture.
The first building block for an insider threat program is a log management solution. This is essentially a management layer that lives above existing systems and security controls. It collects information across systems and allows them to be analyzed from a single interface.
The next technology that serves as an integral part of an insider threat program is one that stops sensitive data from leaving the organization, thus preventing it from getting into the wrong hands. Data loss prevention (DLP) is a traditional technology that has seen a resurgence because of compliance mandates like GDPR, increasingly high-profile breaches, and the ever expanding use of cloud applications and remote connectivity. Intellectual property can be watermarked so that if it’s copied or sent out of the company via email, for example, it will trigger a response. You may recall that at one time, DLP technologies fell out of grace because they generated too many alerts that were often false positives, causing disruption to the business and bogging down productivity. Now, DLP capabilities are being integrated into advanced technologies, resulting in fewer false alarms.
This brings us to our third technology, user and entity behavior analytics (UEBA). It’s critical to understand all aspects surrounding the people interacting with your company’s sensitive data, including what they’re doing on the network, what data and systems they’re accessing, and why. Logs from your network, endpoints, and security devices will need to be fed into the UEBA technology along with other “human-related” information that will be used to calculate a risk score. UEBA technology monitors and analyzes all user behavior on the network as compared to normal or baselined activity and detects if a user behaves in a way that’s unusual in relation to their normal behavior or their peers’ behavior. Once the solution detects abnormal behavior, it issues alerts and prioritizes them based on activity and user profile – all in an automated manner. It can quickly identify the risks that require immediate attention and prioritize the lower priority activities for investigation as time permits.
Just like in the human element, visibility is a key factor as well. Once you have the basic technologies in place, you should consider what other solutions you have that could integrate into the UEBA technology or platform. It’s important to have a data visibility tool to aid in investigations. For example, one that can track file access such as which files, how many, what time, and what types, along with the user’s permissions. This could be helpful in a situation where an employee resigns for example. You can then review all of that person’s activity for the last 60 days to see what files were opened, downloaded, copied, or printed.
More advanced insider threat programs may use psycholinguistic technologies that can detect risks in employee communications. The beauty of these newer technologies is that they can analyze digital communications, which can be combined with other information to help determine whether an employee is capable of conducting malicious behavior. This added layer of intelligence enables the company to more efficiently mitigate threats before they cause harm to the company.
Mitigating insider threats starts with an open line of communication between leadership and all employees, from top to bottom, so everyone can appreciate the purpose of the initiative and their roles within it. I can’t stress enough that this part of the strategy that focuses on the human element is vital to the success of the program. Once that foundation is established, there needs to be a continuous effort by senior leadership to share program updates and results with the appropriate team members, address employee concerns, and provide ongoing training on company policies and procedures. Then you can begin the fun part of your journey, deploying the right technology and solutions, as mentioned above, to support your new and successful insider threat program.
1 Red Alert Data Breach Infographic, https://info.varonis.com/red-alert-data-breach-infographic
Jackie Groark is Director, Security/CISO for Veristor, a provider of transformative business technology solutions that helps customers accelerate the time-to-value for the software, infrastructure and systems they deploy. Groark fuses a strategic view of security operations with decades of cyber threat experience as she helps customers chart a course for comprehensive business protection. Prior to working with Veristor, Groark held cybersecurity positions at Southern Company, where she helped secure one of our nation’s most critical infrastructures – the electric grid.