Working with the Enemy: Malicious Insiders
No organization wants to think that one of its own trusted employees is out to get the firm. However, a study by Intel found that 43% of data losses are the result of “internal actors” – and about half of these incidents were due to the intentional acts of malicious insiders, not accidents or carelessness. Meanwhile, the rise of the Darknet, a shadowy corner of the internet that can only be accessed using special software that hides users’ locations and identities, has made it easier than ever for disgruntled or desperate people to sell their employers’ information, including system login credentials, to criminals.
Security researcher Brian Krebs reports that some organizations are paying security firms or partnering with law enforcement to monitor Darknet forums for malicious actors attempting to sell company secrets. The problem with this approach is, by the time an employee has put together a package of company information and offered it up for sale on the Darknet, the damage has already been done – and the Darknet ad may not represent the first time the employee has sold information. Many malicious insiders operate for years before being detected. When protecting against malicious insiders, the best defense is a good offense; companies must identify malicious actors and stop them before they attempt to sell data to hackers.
How can organizations monitor insider activity and detect malicious insiders without impeding daily operations or making employees feel they are under lock and key? Lazarus Alliance recommends the following proactive steps:
Develop a comprehensive cyber security policy, including acceptable use.
The first step is to make sure that all of your employees know exactly what is expected of them regarding acceptable use of company hardware, software, and network access. For example, employees may be prohibited from accessing social media networks from company computers or from removing company tablets or laptops from the premises. The policy should include a description of the disciplinary consequences of violations. While an acceptable use policy won’t deter malicious insiders, by establishing specific rules, companies can more easily detect deviations and take corrective measures.
Give employees the minimum level of system access they need to do their jobs.
Employees should have access to the company systems they need to perform their job duties – and no more. For example, a billing clerk has no need to access employee tax and salary data, and employees in the marketing department should not be able to create new user accounts and set network privileges. Restricting system access puts an obstacle in the path of malicious insiders.
Continuously monitor your network for unusual user behavior.
Your organization’s systems should be monitored 24/7 to detect unusual user behavior, such as a user logging in from a different location or at a highly unusual time (such as the middle of the night), or accessing parts of the system they wouldn’t normally need to. Not only will network monitoring allow you to detect the work of malicious insiders; it will also allow you to detect credentials that were stolen via phishing schemes.
Malicious insider threat monitoring is a continuous process, and information security threats are always evolving, which is why it’s a good idea to enlist a professional cyber security firm such as Lazarus Alliance. The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting our clients from insider threats and other security breaches. We offer full-service risk assessment services and Continuum GRC software to protect companies from data breaches, spear phishing attacks, and other cyber threats.
Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help you protect your organization against insider threats.