How to Thwart Insider Threats by Tom Cross

Insider threats are a rising concern. Over the past several years, there has been a steady stream of reported incidents of authorized users abusing their privileges to sabotage their company or steal confidential data for financial or competitive gain. Changes in the business environment are also contributing to this concern, as increased reliance on outsourcing, contractors and third-party technology platforms means that sensitive information is exposed to a larger group of people.

In the case of the insider threat, the perpetrator will already have access to the internal environment. Access controls and perimeter defenses aren’t going to stop them.

Here are five tips for addressing this rising threat:

1. Have a comprehensive process for terminating employee access to the network. It seems obvious, but many organizations have process gaps that prevent them from closing certain accounts or detecting and shutting down active connections at the time that an employee leaves the organization.

2. Create checks and balances for system and network administrators. More than one person should have administrative access to every system and device, but shared usernames and passwords should be avoided because shared accounts are harder to audit and revoke.

3. Work with management to identify disgruntled employees. IT monitoring and detection efforts should be considered “air support” for management efforts “on the ground” to identify individuals who may be disgruntled or engaged in fraud. Computer misuse is often predicated by other workplace behaviors. 

4. Pay attention to audit trails of system accesses and network activity around employment termination. Most insider incidents occur when an employee is on the way out the door, and they are often detected by examining log information – including traditional Syslog as well as NetFlow and packet captures.

5. IT cannot resolve insider threat problems alone. This is a multidisciplinary problem that requires cooperation between IT, HR, Legal and Executive Management to identify at-risk individuals while ensuring that employee privacy is protected.  

From a technology standpoint, the only way to prevent this kind of attack is to have visibility into what insiders are doing on the network so that suspicious behavior – such as unusually large file transfers or attempts to access restricted areas – can be identified and further investigated. For more information on how Lancope can provide the network visibility needed to thwart insider threats, go to: solutions/security-operations/.