Editor’s Note: The authors of this article are a BakerHostetler partner and a senior managing director at the investigative consulting firm, K2 Intelligence.
Although many people think cybersecurity simply involves preventing malicious outsiders from accessing corporate networks, the 2015 Verizon Data Breach Investigations Report (DBIR) confirms that the “common denominator across … nearly 90 percent of all [cyber security] incidents is people…[w]hether it’s goofing up, getting infected, behaving badly, or losing stuff….”
Many of those behaviors can be addressed by better training and awareness programs, and improved policies in a number of areas, including passwords, software updates, encryption, and removable media. But those steps, critical as they are, may have little or no value when employees are non-compliant, compromised, malicious, or when they abuse their access privileges.
The malicious insider can be a current or former employee, contractor, or business partner with authorized access to network, systems or data, who intentionally exceeds or misuses that access. For example, an employee or other trusted insider (i.e., contractor, consultant) may engage in corporate espionage, sabotage, fraud, or theft of enterprise data, such as client lists or intellectual property. An employee can ignore the rules or engage in sloppy behaviors, such as downloading sensitive data to thumb drives or emailing corporate information to their own web-based email account for ease of access and convenience. Or a disgruntled former employee, still able to log into the corporate network, can commit serious damage, including destruction and deletion of key files.
In 2013, the FBI uncovered just such a case, involving the former employee of a Long Island-based company who left his job after being passed over for promotions. He had been a systems manager with high-level access to the company’s networks, and was responsible for ensuring that the company’s software ran smoothly to keep production planning, purchasing and inventory control operating efficiently. After quitting his job, he managed to find an avenue to launch a three-week cyber offensive, which included altering the company’s business calendar to disrupt production and finance operations.
Advanced Tools to Combat the Threat
Insider threats create significant cybersecurity risks for today’s enterprises that are difficult to prevent and detect with traditional tools and methodologies. Fortunately, insider threats now can be confronted proactively, with tools utilizing big data and advanced analytics.
Utilizing advanced monitoring software, enterprises can analyze critical data across the entire enterprise, establish baselines of normal behavior, and identify anomalous activities and outliers. This information allows companies to be less reactive, and more proactive, in detecting high-risk activities and individuals.
Data sources that feed into the analysis can include email and other forms of digital communication, card swipes and other physical location data, access to and movement within enterprise networks, and transactional data.
Advanced analytics allow companies to search this data for indications of high-risk activity, such as sharing corporate data outside the enterprise, insider trading, and market manipulation. Companies also can detect behavioral changes of privileged users, assessing patterns through socio-technical information associations, which might indicate that the user’s credentials have been compromised. They also can uncover unusual employee behavior, such as coming in at an odd hour, through tracking physical access and logs.
Performing regular software integrity checks is vital to keeping networks and company data secure. Additionally, using endpoint management to assess if an employee is using disposable media, such as a thumb drive, can prevent data from being compromised or ending up in the wrong hands.
State of the art perimeter defenses and employee training programs are virtually useless if the enemy lies within or employees are non-compliant. Companies stand a better chance of mitigating the insider threat by also taking steps to identify breaches proactively. It is also critical to focus on credential management to review how much access insiders have to critical information. These steps will allow companies to better protect the data that needs to be protected.
Co-Author: Austin P. Berglas, Senior Managing Director at K2 Intelligence
This article first appeared on Bloomberg BNA’s Big Law Business on October 2, 2015.