As much as you might like to think you can trust the people you work with, this is not always the case. Fortunately, insider threats more often come from human error than from malice, but the bottom line is that monitoring employee access and requiring strong credentials will go a long way toward improving your security.
It’s easy to focus on high-visibility outside threats, like ransomware or DDoS attacks, but the majority of breaches come from human error, and carelessness accounts for the majority of human error. Automated database surveillance can monitor your data for unusual activity, log users’ access attempts, and detect potential breaches efficiently.
Not all Threats Are External
When you think of security risks, you typically think of things like malware, phishing, ransomware, DDoS attacks, and others. Insider threats, in which someone within your organization unintentionally creates security risks or actively compromises your security, do not always come to mind immediately. However, insider threats are a threat.
Unlike more visible threats, insider threats rarely make the news. And unlike bugs in the code or unpatched vulnerabilities, insider threats cannot be solved with a software update. Insider threats fly under the radar of many security teams, and because human behavior can be unpredictable, these threats are often difficult to detect and identify. Most surveillance detects suspicious activity, but a careless insider isn’t acting in a way that would trigger an alert. It’s fundamentally normal activity. Besides that, it’s easier to trust another person in your organization than to trust that a bot attempting to access your data is benign.
Insider threats also come in myriad forms. Users with weak credentials (if you know anyone who still uses “123456” as a password, some public shaming may be in order) are a significant problem. Many users do not use multi-factor authentication, and they tend to choose saving passwords to their browsers over a secure password manager. Insufficiently trained employees may respond to phishing emails or social engineering attacks. Each of these potential attack vectors is highly exploitable, and data breaches stemming from them are becoming more expensive.
Insider Breaches Are on the Rise
Each incident costs around $16 million for the average organization, but the costs are increasing approximately 32% each year. 82% of CISOs are concerned about insider threats, and 75% believe they have failed to detect exploitation and data losses from insider threats. As work becomes increasingly remote, it becomes more challenging to effectively train employees.
Those employees are also more removed from the direct influence of a security team, and their remote desktop connections, home devices, home networks, and other devices add more potential attack vectors. An employee with IoT devices at home could use the same Wi-Fi connection to log in to access your company’s sensitive data. Any hacker lurking on that smart thermostat could then leverage the connection to access the company-issued computer and whatever data is on it. This is only one example.
Employees with a flexible schedule may be accessing company data long after the IT department has signed off for the night, so any suspicious activity may not be detected for several hours. Using Google’s API to sign in to multiple accounts could allow an attacker access to the employee’s email, Google Drive, and any account connected to the API. An employee who receives multiple push notifications from MFA could make a mistake and accept one if enough are sent. Even security professionals share some of the blame. Cloud misconfiguration has been one of the top threats in recent years.
Protecting Against Insider Data Breaches
As the ways to take advantage of insiders have increased, security budgets have decreased, making it essential for your organization to spend wisely. Invest in data security and monitoring solutions to identify potentially suspicious access events, and enable alerts. Train your teams to avoid phishing emails and social engineering attempts, to store credentials safely, and to use best practices for accessing company data.
While monitoring may not pick up user carelessness, you can and should log who accesses what data at all times. If your insider is malicious, this will enable you to more quickly notice suspicious activity and then identify him and lock him out. If your user is merely careless, you will still have an improved ability to track access. If you know a particular bit of information has been compromised, you’ll have a log of people who have recently accessed it (and a much smaller pool of people to check out).
Finally, be sure to actively manage permissions, especially for very sensitive data. Users should only be able to access the data needed to do their jobs, and if you fire an employee, avoid malicious insider threats by locking accounts immediately. Disable email and database access as soon as possible, and eliminate old credentials.
Insider threats are on the rise, but with training and careful database monitoring, you can reduce your risk. Although most employees are not malicious, carelessness can create problems for your organization, so be sure to require that everyone follow security protocols, attend refresher trainings, and use MFA. You might not be able to create an impenetrable environment, but reducing insider threats is one of the best things you can do to improve your overall security.