"The call is coming from inside the house...” This line from 1979’s When a Stranger Calls terrorized audiences by introducing the notion that the things we should be most fearful of may be in the spaces we feel most safe. This idea translates neatly to the enterprise arena; security teams often are on the lookout for outside threats including malware, phishing scams, and ransomware attacks, but fail to see the danger in their own backyards.
Insider security threats are much more common than many actually realize. It’s estimated that 60 percent of all cyber attacks are carried out by individuals with privileged access. And oftentimes external threats are enabled by insider threats. Left unchecked, employee negligence—or even malevolence—can expose an organization to a host of security risks. Employees can turn malevolent for a whole list of reasons, which could cause them to strike out against their coworkers or employer. Because of its unpredictable nature, addressing the problem of insider threats is a complicated and sensitive issue. There isn’t one answer and a proper solution needs to take into consideration a myriad of factors. Below we take a look at some best practice advice for IT teams looking to keep a malicious, or simply incompetent, insider from causing a security crisis.
Activity Monitoring Can Help
It seems a bit odd that an organization’s own employees would be included in its ‘threat log’. Furthermore, the idea of a company surveillance culture can seem a bit repugnant to employees. The practices of excessive tracking email conversations, search histories, and device logs can sometimes be seen as ‘shady’ at best and at worst, can erode the foundation of trust that a successful business is built on. That being said, keeping an organization safe from internal threats often relies on a healthy dose of user activity monitoring to keep an eye on any strange or irregular behavior.
That doesn't necessarily mean snooping around your employees inboxes, though. Instead, you can use network and performance monitoring tools already at your disposal to keep baselines on normal behavior and resource usage, and get notified when things look out of sort.
What Should IT Teams Look For?
IT security teams should keep an eye out for any unusual downloads and file transfers (more on this later). This is especially important for users with access to sensitive enterprise information. A notable spike in user activity or resource usage may tip off malicious activity as well. While, sometimes, an increase in user activity may be completely explainable, other times it can indicate something more concerning. Some users may work from home to complete projects and shouldn’t immediately be seen as suspicious behavior, while others may have work that calls for intensive GPU or CPU usage. That said, if an employee has sudden and dramatic increases in their activity and resource usage combined with suspicious activity, this should be cause for concern.
For example, if a member of your marketing team who's job usually involves handling social media and scheduling events is suddenly using 100 percent of their GPU, 24 hours a day, seven days a week, that's a good indicator that they're up to no good, or have had their machine compromised. By using network monitoring tools to set baselines for resource usage, you can keep tabs on irregular use, and even set up automated alerts when certain usage thresholds are surpassed.
A solid activity monitoring approach will coordinate monitoring with rapid-response capabilities that allow IT teams to quickly and easily terminate IP connections, shut down accounts, and end file transfers in order to detect and prevent insider security breaches. NetFlow monitoring can also tip you off to unusual activity. Other important practices for activity monitoring include carefully recording and documenting events if employees do carry out an insider attack. If there is no evidence against the employee, an organization won’t be able to prosecute them in court.
It's also important to note that even though an employee may not currently be with the company, their credentials can still pose a significant threat to the company. Security teams should always freeze old accounts and delete old credentials so that any attempted activity will not go through. A laid off or fired employee may be disgruntled and use their credentials to attack company systems, or the credentials could simply fall into the wrong hands, especially if the former employee has reused his or her password in multiple places.
Managed File Transfer, Email, and Secure Data Transfer
While baselining and monitoring usage can help you find malicious insiders or compromised machines, one of the most common types of insider threats is actually simple laziness and negligence.
In today’s enterprise world, as much business is conducted outside of the confines of the corporate firewall as it is within, and employees often have to transfer large amounts of sensitive data to third parties outside of the company firewall. If employees aren't given a secure and simple way to transfer this data, they'll often take matters into their own hands, and use unsecure email, or worse unsanctioned file sharing apps. DropBox and Google Drive are the usual suspects.
Using a secure and reliable Managed File Transfer (MFT) solution provides organizations with the ability to ensure that sensitive data is delivered only to authorized recipients, and gives IT teams the ability to monitor and capture all file transfer activity. When choosing an MFT solution for external data sharing, security teams must consider any additional capabilities needed including account access, reports and alerts, anti-virus integration and any other security mechanisms.
How Ipswitch's Secure Managed File Transfer Can Help
As has been made clear above, insider threats pose a very serious concern for modern enterprise security. By fully understanding the risks associated with insider threats, IT teams can equip themselves with solutions to minimize risk. With Ipswitch’s Secure File Transfer solutions, organizations can assure the secure and compliant transfer of protected data by providing users with easy-to-use alternatives to risky transfer methods. Secure Folder Sharing provides a convenient, easy-to-use alternative to consumer-grade file sharing services. MOVEit Client provides access to secure transfers from Mac and Windows desktops. MOVEit Ad-Hoc makes secure file transfer easily accessible from Microsoft Outlook or a web browser. MOVEit Mobile enables access from iOS or Android devices.