As external threats to your network are on the rise with the introduction of ransomware over the past few years, among the other ongoing threats it seems that insider threats have been pushed to the wayside. I would like to take the time to explain not only the importance of recognizing insider threats before they occur, but also detecting them as they are occurring, and implementing measures to prevent them in the first place.
What, or who is an insider threat?
Insider threats can be willing or unwilling parties. When trying to recognize possible threats you need to look at how much access users have to intellectual property (IP), personally identifiable information (PII), or anything else that can be utilized to hinder a company or generate a profit for someone. Signs that can lead to finding someone that is a possible threat are large amounts of debt, gambling addictions, alcoholism, depression, major life changes such as divorce, loss of a loved one, etc. Though none of these are a guarantee of insider threat, they are potential avenues to allow an insider threat in. People under the right amount of pressure, or stress, will do anything in their power to alleviate it. To avoid falling victim to these types of threats, as an employer, you must be a cognizant and caring employer that engages with their employees. Personnel who get training, family time, and paid to handle the cost of living for their area, are more likely to be hard workers and loyal to the company vision and assets. Loyalty is rare, but the right leader can inspire loyalty. As a veteran, true leaders will go to bat for their troops, they will support them when family issues arise, get them the training that will improve their career, and do everything in their power to teach them how to take over as leaders themselves.
Stop the threats
Companies can also put in place measures to prevent insider threats from both willing and unwilling parties. Many of these measures can be a hindrance to business, as such I will provide some possible workarounds that can help to allow for business as usual while still deterring data exfiltration.
Start with disabling the use of USB ports. Yes, this is a major change to the organization however, it is also how a lot of data is taken from the company network. Willing parties that are trying to sell the data use this method quite frequently, unwilling parties will use this method to attempt to take work home with them. Unfortunately, they may not realize that their home computers have been compromised and as such data is exfiltrated via their computer and not the corporate network. If disabling USB is not ideal, then spending the extra money on encrypted thumb drives that will only decrypt via software installed on corporate computers is how you can allow for them to be used while still maintaining the integrity of corporate data. Using this method won't necessarily allow people to work from home on personal computers, but will allow for data to be used on any work machine that has the software and corporate policy.
Another way that data is transported from the corporate network is via e-mail. E-mail is vital to corporate communications. Passing this data without proper data loss prevention (DLP) software can allow it to easily be used for malicious purposes. There are software and add-ins available that will scan any and all e-mails being sent so as to not allow the transmission of IP or PII. These DLP solutions come at a financial cost but can prevent IP and PII from being sent to personal e-mail accounts or any account outside your corporate network.
Cloud and file transfer services are convenient and powerful but can provide routes for data to be taken from corporate networks. When companies allow for external FTP connections, this makes it easy for a user to connect to a remote server and simply drop files. If cloud storage services are permitted to be accessed, without the right restrictions, they can lead to accessing the data from outside the corporate network, and most likely it leaving the network. A way to prevent this from happening is to only allow access to the cloud services you are utilizing as a company, and only by going through a single sign-on solution that can only be accessed from the internal network. All other cloud services that are not utilized by your company should be blocked.
Though these methods are not guaranteed to stop all insider threats, I do hope it sheds a little more light on the problem and some possible ways that you can mitigate and/or prevent possible data loss.
Derek Scheller Jr