Insider threats are always on the minds of CISOs, although defining the threat is one of the biggest problems.
Some vendor surveys count external threat actors who get hold of credentials of employees or suppliers as “insiders,” on the reasonable grounds that on the network both looks the same. That boosts the alleged risk of an insider attack to a high per cent, good if you’re a vendor pushing a product. However it could also lead to putting more emphasis on a network defence and not enough on edge or endpoint protection.
Similarly, counting employee errors — misconfiguring a server, clicking on a malicious attachment — as an insider threat may also tip a CISOs strategy in the wrong direction.
Most experts agree the biggest threat to organizations come from outside attackers. But the risk of an insider — employee, partner, contractor, supplier, guest on the network — doing deliberate damage still has to be faced. The best way to do that is having an insider threat program using technologies such as behaviour analytics and alerting.
In a column this week Josh Lefkowitz, CEO of Flashpoint, a business risk intelligence notes that the primary objectives of such a program is to “deter, detect, and respond to insider threats—not prevent them.” The issue, he argues, isn’t that insider threats can’t be prevented but that prevention occurs largely at the information security level, not the internal threat program level. “Many of the same basic, best-practice information security controls that help organizations mitigate threats such as phishing and malware infections can also help prevent insider threats,” he writes.
By this he means controls such as identity and access management, quickly revoking former employees’ access to company systems, blocking users from accessing personal email, social media, and external instant messengers from inside the network, restricting the use of flash drives and external media storage devices, enforcing bring your own device (BYOD) policies, and ensuring all users are trained thoroughly and often on security awareness and hygiene best practices.
So go ahead, make your insider threat program. But remember who you are looking for, and that prevention solutions really count first.