With the prevalence of cyber attacks from individuals and groups looking to exploit corporate vulnerabilities and sensitive information assets, companies sometimes overlook another common threat: their own employees. It’s incredibly disheartening to think of trusted current or former colleagues looking to exploit sensitive information for their own monetary gain, but it’s increasingly common. Luckily, there are some telltale signs of this malicious activity that can enable you to identify and rectify problems as quickly as possible using the strategies detailed.
Indicators: Increasing Insider Threat Awareness
Keep an eye out for the following suspicious occurrences, and you’ll have a far better chance of thwarting a malicious insider threat, even if it’s disguised as an unintentional act.
1. Unusual logins
At many companies there is a distinct pattern to user logins that repeats day after day. Logins happening remotely, from unusual locations, or during odd hours could be a sign of trouble. Likewise, your authentication logs may start filling up with numerous unexplained occurrences of “test” or “admin” username attempts that fail to pass muster. Anything that strikes you as out of the ordinary warrants investigation.
2. Use or repeated attempted use of unauthorized applications
No doubt you maintain a dizzying number of mission-critical systems such as your CRM, financial management applications, ERP, and others, each of which should have a strictly defined set of users. If you’re structuring your access privileges properly, you’ll have particular people or roles that are granted access to necessary applications. When unauthorized people gain access to these applications and the sensitive data they house, it could mean a breach of disastrous proportions for your business. An increase in attempts to log in to these systems could be a red flag.
3. An increase in escalated privileges
Anyone with heightened system access is an inherent threat to your business simply because they are likely privy to sensitive information that should never fall into the wrong hands. Sometimes, a person with administrative rights (a trusted individual) will start granting privileges to others who shouldn’t have them. An increase in the number of people with this sort of escalated access could mean they’re wandering unencumbered around your servers, looking for just the right data to sell on the dark web. These insider threats could also be using these privileges to access unauthorized applications as mentioned above.
4. Excessive downloading of data
Your IT team probably has a good handle on your organization’s bandwidth usage and data downloading patterns when it comes to data accessed from your onsite network or cloud infrastructure and copied onto computers or external drives. Perhaps it’s normal for the sales team to download large marketing files or for HR to save large employee or payroll databases on a regular basis. But if you begin to see significant downloads of data that can’t be explained, or that occur during odd times of the day or from strange locations in which you don’t typically do business, something is likely amiss.
5. Unusual employee behavior
The behavior indicator is a good one, and it requires some intuition and a keen eye. If someone who is normally a high performer who gets along well with others starts to act differently, take notice. While it’s certainly possible there are extenuating personal circumstances behind the scenes, unexplained poor performance or disagreements with coworkers or superiors over policies could mean this person is someone to keep an extra close eye on for the foreseeable future. Particularly if he or she seems to indicate some sort of financial distress or unexplained financial gain—or resigns unexpectedly—they may have or be planning to make improper use of your corporate assets.
Strategizing and Implementing an Insider Threat Program
The strategies and tools available to round out your insider threat program are becoming more sophisticated to keep up with—and often stay ahead of—cybercriminals out for financial gain or to cause destruction.
1. Make sense of event data with a SIEM solution
A security information and event management (SIEM) solution can become your eyes and ears by aggregating, normalizing, and interpreting the vast data feeds from your cybersecurity monitoring solutions. This can include changes to user profiles and system values, invalid login attempts, intrusion detections, and changed or deleted objects. It will spot abnormalities beyond the typical ‘noise’ happening within the data and send alerts to indicate issues. This enables your team to assess disturbances and act on them swiftly to minimize the potential impact.
2. Limit user access with a privileged access management (PAM) solution
It is well worth the effort to develop and implement a thorough approach to user privileges and access rights. Most employees only require access to a few key network locations and applications, and even these need to be curated by their role and also as job-specific requirements change. In general, users should only be able to access precisely what’s needed to perform their jobs on a daily basis (keeping in mind their productivity if workaround processes are cumbersome). Doing this effectively requires a privileged access management solution. This helps you assign the lowest level of privileges required to minimize exposure, more commonly known as the principle of least privilege..
3. Maintain vigilance
Malicious insider threats are an unfortunate reality today, and there’s no substitute for ongoing attention to what’s happening across your network. This means you need to check in on a consistent basis, track unusual behavior, and take comments and complaints about an employee’s unusual behavior seriously. Always remember that in addition to implementing the appropriate cybersecurity tools and procedures to help you keep up with your environment monitoring and bolster your security posture, your intuition is often a guide when something’s wrong.