One unhappy employee can ruin your day, your reputation, and cost millions of dollars in losses. Government agencies, companies and organizations of any size are all at risk. Employees planning to leave their jobs are involved in 60% of insider cybersecurity incidents and data leaks, new research suggests. According to the Securonix 2020 Insider Threat Report, published in May 2020, "flight risk" employees, generally deemed to be individuals on the verge of resigning or otherwise leaving a job, often change their behavioral patterns from two months to two weeks before conducting an insider attack.
Insider incidents are caused by individuals within an organization rather than external threat actors. Employees or contractors with privileged access to systems may cause damage, steal, or sell data, or be the cause of a security failure -- such as by uploading or moving confidential resources to third-party services without permission. Securonix says that the exfiltration of sensitive data continues to be the most common insider threat, often taking place via email transfers or web uploads to cloud storage services including Box and Dropbox. This attack vector is followed by privileged account abuse.
After examining hundreds of insider incidents across different industry verticals, the cybersecurity firm said that roughly 80% of flight risk employees will try to take proprietary data with them. However, the abuse of removable drives to steal information is on the decline as more companies than ever are either restricting or blocking USBs completely, and many organizations potentially prompted further due to the COVID-19 pandemic are transitioning to cloud and IaaS platforms.
According to cyber investigators, the highest number of data exfiltration incidents took place in the pharmaceutical, financial, and IT industries. Account sharing, difficulties classifying data as sensitive or non-sensitive when considering access privileges, a failure to implement least-privilege account controls and the constant circumvention of IT controls are prevalent, the report suggests, with large enterprises in particular "finding it difficult to draw conclusions about such incidents mostly due to lack of, or differences between, policies and procedures for each line of business."
Securonix suggests that algorithms can be useful in monitoring employees for rogue activities by flagging behavioral anomalies, as well as measuring data volume and transfers that appear to be beyond normal, baseline activities. "Using traditional technologies, such as DLP tools, privileged access management (PAM) solutions, and other point solutions is not sufficient to detect insider threat behavior today," Securonix added. "The adoption of cloud systems presents a complex threat fabric which requires advanced security analytics that utilizes purpose-built algorithms to detect specific outcomes."
There is no formula that can be used to predict what a soon to be former employee may do. At Red Sky Alliance, we recommend that the Human Resources department be involved at the beginning of any suspected unusual employee behavior. Open communications with managers, employees and HR department members can head-off many issues before they become problems.
Red Sky Alliance has designed a virtual Trust Officer (vTO) Program. Trust in your employees is one of the keys to corporate success. The vTO can perform government designed background checks, interview your employees, perform a variety of sensitive internal cyber investigations, and help set a proactive preventative insider threat program. The program is designed to protect your company, employees, and families from insider threats.
Often companies have organizational structures which often do not include the Human Resource (HR) functions within the cyber security or physical security operations. These organizational structures promote only “Stovepipe” information flow to the C-Suite level decision making. By doing so, this can deter crucial collaboration to proactively identify potential insider threats. Companies and organizations must be proactive in identifying insider threats focuses on trying to stop negligence in IT operations, or to observe signs of nefarious financial or subversive cyber motivations/actions.
Red Sky Alliance has former law enforcement professionals on staff who can counsel your department directors on how best to address this growing program. If you feel you already have had an incident, please contact us for a confidential briefing.
Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com
Reporting: https://www.redskyalliance.org/
Website: https://www.wapacklabs.com/
LinkedIn: https://www.linkedin.com/company/wapacklabs/
Twitter: https://twitter.com/wapacklabs?lang=en
Link to full article: TR-20-171-001_Insider_Threat.pdf
Comments