We’ve established that insider threats are a serious security concern, one that needs to be higher up on IT professionals’ agendas. However, mitigating the risks is not a simple task.
Nearly 9 out of 10 (86%) of IT professionals told us they did not realise that technology could help solve insider threats, so they seem to understand it as more of a cultural and organisational issue. Which it is, but technology can certainly help mitigate the risks; an optimum strategy should approach the issue from both angles.
This is our manifesto for beating the threat from within.
Limit or prevent concurrent logins
In technology terms, this is your first line of defence against password sharing. If users know that giving their password to a colleague means their own network access will be restricted, they will be much less likely to do it. What’s more is that in the event that a rogue user does gain valid credentials that they shouldn’t have, they will be prevented from using them at the same time as the legitimate owner. This means that access to critical assets can be more authoritatively attributed to individual employees, helping to affirm accountability and avoid repudiation issues when there is an internal breach.
Limit working hours or maximum session time
Someone looking to gain access to files that they shouldn’t have is likely to do so outside of normal working hours, in order to lessen the risk of being caught. While network access attributed to a user inside of their set working hours is more easily identifiable to that individual.
Limit users to their own workstation or department
By limiting users to specific workstations, devices, departments or IP ranges you are effectively reducing the network surface area that is open to any kind of attack. In reducing the number of computers or devices on which a compromised user’s credentials can be used, you are reducing risk.
Monitor user behaviour in real time
Once restrictions such as these are in place, monitoring user access should be made easier. Tracking and reporting is only so useful when done in retrospect, so ensure you are monitoring in real time in order to recognise suspicious activity when you are able to respond.
Recognise and respond to suspicious behaviour
And do respond when you spot suspicious activity. An immediate response should be an integral part of an organisations security policy and risk mitigation strategy. By responding quickly, even if the threat is a false alarm, showing that action is taken swiftly helps to educate users and reduces the risk of malicious insider activity.
Deactivate computer access following termination
Former employees are another kind of internal threat, and often are left with their network access open following the termination of employment, when they may be more motivated to access sensitive information. It is crucial that you ensure their accounts are closed swiftly following termination.
Implement a security policy
It is great to have technical limitations on passwords and network access, but ensure you have a written policy too. 29% of the IT professionals we surveyed told us they don’t have a security policy at all, which is very worrying. Make sure you have one, and make sure it explains why as well as what your policy is. Be transparent about the risks your policy addresses and if you are in an industry that is subject to regulations then explain in understandable terms what those regulations are and why they’re important.
Clearly document policies
Security policies should be clear, accessible to everyone and understood by all in your organisation. 41% of IT professionals said their security policy was included in an employee handbook or manual.
Consistently remind users of policy
Including a security policy in a company handbook, located somewhere accessible to all, is great but it is just the first step to ensuring users understand it. We all know that these can get read in an employee’s first week on the job, and then forgotten about. There is also a chance that users who are consistently trying to gain network access outside of restrictions will get frustrated. Remind them why the restrictions are in place, and what they can do instead to get the job they need to do done, like ask for temporary clearance.
Mentioning contractual or legal implications here also helps highlight the severity of the issue to the user. Technology can help here too; we found that just 12% of the IT professionals we surveyed remind users of security policies with daily prompts. With some security applications it is possible to set up customisable alerts and prompts to ensure users are reminded of security policies in an effective way.
Work closely with HR and other departments
We have explained that mitigating insider threats is not just a technological problem. IT is responsible for managing network access, but not generally for managing sensitive employee information; that tends to be the remit of HR. Working closely with other departments may help with educating users on your security policy, HR could include it in the training schedule for instance.
It also may help in identifying potential internal threats, as HR are much more likely to be aware of issues where employees may be disgruntled, as well as having a closer track on new starters and employee terminations.