According to a study by Intel in September 2015, almost 43 % of all data breaches were due to insider breaches (half being intentional). Threats perpetuated by disgruntled employees form an overwhelming number in these, especially in the Asia pacific region, where it is the second largest cause of all security breaches.
But despite such staggering figures, very few organisations or IT employees take the insider threat seriously- as low as 20% in the US market. A recent report by Ponemon says that in 2015, while insider attacks weren’t the biggest cause of security breaches, they caused the most damage- about USD 144,000 per instance!
Globally, very few organisations seem to have a clearly written policy that ensures employee education or affirmation about maintaining security of organisation data. If nothing else, it would help in increasing awareness of what might be dangerous, and lay down the processes for the right way of handling sensitive data!
One of the things this policy needs to define is regulate the privileges that trusted operators have- because they most often have the opportunity to cause most damage. Since they have the privilege to perform any process on critical systems using critical data, they could also, inadvertently or deliberately, be the biggest threat!
Most organisations confuse trust with granting unauthorised access to data for any employee and that has cost many companies dear! A balance between empowering an employee, and access control needs to be in place. In a vast majority of cases the unauthorised access comes from inadvertent sharing or passwords or access to critical data. What’s needed is a strict control on access. But that’s where the challenge lies- overlapping roles and inconsistent entitlements. But even more than that, is the poor governance process that keeps the backdoors open for security policy enforcement. The reason is, very often, that most organisations themselves are unaware of where their critical information is stored. It then becomes difficult to prevent inappropriate transmittal or access in the first place! And in most cases, a company’s reaction to a breach is reactive. There is hardly any attempt for predictive responses. There is almost never any system or policy in place to identify at risk accesses or individuals, so an attack may be pre-emptive or predicted.
Any policy that is to regulate data access to insider threats needs to follow some definitive guidelines. Some permissions and capabilities of employees need to be clearly regulated. These could be:
In order to be able to protect critical data, it first needs to be classified as critical. Understanding the consequences of a leak, an organisation needs to classify information at various levels of criticality and then work on ensuring the various security policies that confirm to each level of protection it needs. The data could include customer data, financial or market data or systems information. Each of these will have a cost attached, and access policies need to be in place for all. In addition, the security algorithms need to be clear on who can access to what levels- read, delete, copy or use in any other manner.
Privileged Identity and Passwords Management policy- a Must
In most organisations, the security and IT admin teams have access to almost all data, but with passwords. In some orgs, leadership and stakeholders are also given access. Such privileges need to be monitored by technology tools as well as policy enforcements. Who gets to see and do what, or Privileged Identity Management, has to be clear and simple but non-compromisable. It should enable regulation of multiple accesses to critical data.
Often many leadership level stakeholders share passwords and authorisations that could compromise key data or systems of a company. A policy that lays down the terms of clear privileged Identity Management can control the risks associated with this multiple usage of passwords and thus, the risk.
In most organisations, privileges accesses are all or nothing accesses, often allowing more privileges than a person needs. A regulatory policy should be able to change that, and reduce the unnecessary risk to key data and systems information. Policies governing user entitlements need to be a strict enforcement in every organisation.
Fraudulent Access Identification
In cases where an outsider exploits an insider to access data, the advanced authentication methods should be put in use. These would go beyond passwords, and into the contextual factors. Fraudulent access can be identified by simple ways- time zones- a person logging in from another place within minutes of logging from one- or some security questions answered wrongly- anything could trigger alarm bells and even identify a fraud authentication try. But these also need to be a part of the policy process.
Virtualisation Risks – Need of Security
With innovative technologies like virtualisation, the risks of insider leaks have increased- another layer of administrators for the hypervisor. With the ability of the tool to replicate or transmit data at a single click- the risks have gone up manifold. The solution usually is to embed traditional security apps in the hypervisor layer as well, but the entire virtual infrastructure too, needs to be secured. The security policy needs to have an option for emerging technologies and the risk they pose.
So, to control the problem of unauthorised access, there needs to be a strict security paradigm with automated processes that meet compliance audits and identity security policies. What’s critical here is the tighter incidence management timelines- that deliver a timely and stronger role based security foundation.