4 ways to stop insider threats

Most discussions around data breaches and cybercriminal activity focus on external players like hackers. But, this is only skimming the surface regarding the multitudinous threats that organizations face today. In fact, insiders are increasingly playing a large, outsized role in many data leaks.

According to the 2016 Data Breach Investigations Report from Verizon, insider threats are a rising concern in many industries. That study found that 32 percent of all health care-related data breaches, 24 percent of all manufacturing data leaks and 13 percent of all such incidents within the public sector were due to privilege misuse. In total, Verizon noted that close to 10,500 incidents had occurred because of malicious insiders.

“They’re behind your firewall, getting all up in your data,” the report’s authors noted. “They are often end users and they are comfortable exfiltrating data out in the open on the corporate LAN. Insider incidents are the hardest (and take the longest) to detect. Of all the incidents, these insider misuse cases are the most likely to take months or years to discover.”
To get a sense of how devastating these kinds of incidents can be, consider the case of Kexue Huang. For three years, he stole and illegally disseminated trade secrets from two companies in the U.S., according to the FBI, costing both firms between $7 million and $20 million approximately.

While insider threats may be just as damaging as external hacks, they are often much harder to stop. But, with the right tools and know-how, spotting and shutting down internal threats is very much a possibility. Here are four key ways to stop these kinds of data leaks:

1) Provide robust training

Both the FBI and Verizon painted the perpetrators of insider threats as often being disgruntled employees with an ax to grind or rogue agents looking to help themselves or someone else. But, this doesn’t provide a full picture of the entire threat landscape. For one, employee error is also a common cause of data leaks.

Either way, robust training for all employees can help businesses better deal with this threat vector. Not only can additional employee know-how help prevent damaging accidents, but this knowledge can provide those on the ground with the tools and insights needed to stamp out data breaches brewing within their midsts.

2) Implement network oversight mechanisms

Network monitoring is typically established to look at what’s trying to access the network, but it’s rarely used to see how traffic behind the firewall is behaving. Such a system can help root out anomalous activity, but it must be deployed in such a way so as not to infringe heavily on the privacy of workers. But, it would be useful for seeing if employees are logging onto the network while on PTO or from an unusual location, as those could be signs that an insider breach is in the works.

3) Look outside company walls for help

According to the FBI, personal debts, political motivations, anger at upper management and dozens of other reasons may compel an employee to perpetrate a data leak against their employer. An outside agency or expert won’t have such motivations, and thus is often less likely than an internal hire to lead to a data leak. Still, such consultants are far from a panacea in this arena, as there have been some well-publicized examples of outside hires single-handedly perpetrating or assisting in a breach.

4) Utilize network and data segmentation

Not all employees need access to all data, and it is perfectly sensible to shield access to the most critical data to only a select few. This level of segmentation can help ensure that most employees are never in a position to cause a major data leak in the first place. Data and network segmentation can be a great way to prevent the vast majority of both intentional and accidental issues from ever cropping up, although it is far from foolproof on both fronts.

“Many employees are given full administration rights without proper accountability. This provides an opportunity to perpetrate an insider attack with a low risk of being detected,” Derek Smith, a Fellow and Adjunct Professor at Excelsior College, wrote in a March 2016 blog post. “Without privileged administration controls, there is no way for security professionals to control this ‘security blind spot.'”