How to eliminate insider threats

Statistics prove that more risk exists within an organization.

eliminate insider threats 1
Credit: Thinkstock
Insider threats are a major security problem

For years, the primary security objective has been to protect the perimeter—the focus on keeping outsiders from gaining access and doing harm. But statistics prove that more risk exists within an organization. Indeed, many compliance regulations require monitoring of systems to identify and eliminate insider threat. According to Forrester, 58 percent of breaches are caused from internal incidents or with a business partner’s organization. And 55 percent of attacks are originated by an insider as cited in the 2015 IBM Cyber Security Intelligence Index.

Mike McKee, CEO of ObserveIT, lists some tips to help organizations quickly jump on any irregularities that come from within your company’s network.

eliminate insider threats 2
Credit: Thinkstock
Build a proactive insider threat program

Key elements of the program should include:

A cross-departmental team, including: HR, IT, CIS and Leadership.

Employee training on cybersecurity policies and reinforcement of those policies. Real-time notifications at the point of violation should be a key component of the cybersecurity education program.

A user activity monitoring solution that will keep track of activities of privileged users, high-risk employees, remote vendors—anyone who has access to your systems and data. It should track and visualize users’ risk and behavior over time for faster and easier detection of insider threats.

eliminate insider threats 3
Credit: Thinkstock
Beware of privilege creep

Have clear video playback of exactly what happened before, during and after an event or alert. This decreases MTTR and provides organizations with irrefutable evidence that is vital to be able to take action.

Organizations typically have a good grasp of server statistics, access logs, performance, uptime, and system events. However, often gaps exist in identifying who has direct access to the server. Create credentialed logins (avoid using one general login), and employ an IT ticketing system to ensure all server-activity is very important.

eliminate insider threats 4
Credit: Thinkstock
Regularly review employee access controls

If there’s no need for an employee to access a particular account, revoke their permission. Additionally, consider restricting the use of remote login applications or cloud storage applications on corporate accounts.

Some organizations will perform this review yearly, but a more frequent review process (quarterly or monthly) can help mitigate insider threats.

eliminate insider threats 5
Credit: Thinkstock
Monitor all data exfiltration points

With user activity monitoring and video playback, large print jobs from computers, USB data exfiltration, Cloud Drive uploads, sending data to personal email addresses, or sending files via Instant Messenger do not have to be investigated by combing through event logs. With just the simple push of a playback button, the monitoring of these exfiltration points is so much easier and investigations can occur that much more quickly.

eliminate insider threats 6
Credit: Thinkstock
Know why users are installing/uninstalling software

Organizations use virtual desktops, non-persistent images, various software management tools, and account restrictions to control installed applications. In most cases, these infrastructure-centric methods don’t provide information on user intent and underlying business need. Insider threat technology can eliminate these visibility gaps and allow organizations to know whether people are putting the organization at risk.

eliminate insider threats 7
Credit: Thinkstock
Pay extra attention to high-risk users

Whether it’s through a conversation or the placement of a broadcast banner on a desktop, let high-risk users know they are being monitored. This will, in most cases, deter them from engaging in malicious activities. Immediately change the password access to computers when an employee leaves. Additionally, make sure third-party services also know of this employee’s termination so they can de-authorize their account.

Ensure departing employees do not have company data on personal devices. Before a high-risk employee leaves the organization, check whether they have company data on their personal computers, mobile phone, tablets, etc.

RELATED: How to prevent data from leaving with a departing employee

speed security investigation
Credit: Thinkstock
Speed security investigations

See the smoke before the fire. It is essential to be able to detect and respond to incidents and alerts quickly. Without the right security tools and programs, the mean time to detect to the mean time to resolve (MTTR) can be weeks. For example, the FBI often requests that companies not intervene with active exploits so they can gather evidence. Integrate your user activity monitoring solution with other cyber security tools so you can provide irrefutable evidence and decrease MTTR.