Are you prepared for insider threat?
What is insider threat?
Insider threats are where a current employee or supplier with legitimate access to your systems steals information or money. Insider threats can also come from less malicious means like an individual sends the wrong information to someone or losing a laptop or device containing sensitive information. These kinds of threats are very common all over the world, according to a 2021 report up to 22% of all security incidents come from insider threats.
Any system reliant on people always requires trust, having the right controls in place can minimize the impact of accidental breaches but when individuals deliberately try to steal money or data from an organization using the legitimate access they need to be able to do their job then there is a limit to what trust can do.
What can you do to protect your organization?
There are a number of options around protection and as with most systems the best defense is layered. Having very strict controls around who can change customer bank details in the payments platform is no good if all staff have access to be able to change the invoices before they are sent out to customers. These principals should also extend beyond technology – would you give a trainee at a bank the keys to the vault and unsupervised access on day 1?
The first layer of protection should be around least privilege – what is the minimum level of access required to perform the role the person is employed to do? This should apply at all levels, if there is a senior manager who has no idea how to use the accounting platform they should not get access to it because “senior managers always get access to this system”. With any system there will need to be exceptions to the rule, for example someone filling in for another role but these exceptions should be regularly reviewed and where technology allows be set with an end date which will automatically revoke the additional privileges.
The second layer should be around logging – who did what, on which systems and when, this information alone may not prevent an insider threat but it will be invaluable in determining the size and scale of an attack. Insurers and the mandatory breach investigations team will look closely at this data to determine actions required and the level of claim.
The third layer is closely tied with logging and is ensuring each system has a unique login for each user – Anywhere it is possible unique accounts should be used for each user. A shared account used by multiple people makes it extremely hard to determine the size and scale of the threat the organization is facing and makes it difficult to point the blame at an individual if something is found.
The fourth layer is backups and is also a critical component of protecting from an insider threat – Many internal malicious attackers think by deleting their files or emails they are covering their tracks but if you have good backups in place and appropriate retention periods (how long you hold on to data for) then you can recover this data and in combination with the layers above determine the scope of the attack.
The final layer is around keeping accurate and regularly reviewed financial information – with most attacks money is often the motivator and target. In insider threats the attackers may be familiar with the accounting practices of the finance team in the organization and be able to work around them. By having the finances regularly reviewed by an independent third party the organization may discover unknown threats.
How can VInet Technology Solutions help you?
VInet have assisted many organizations across the country to ensure they have all of the layers of protection in place and working correctly and have assisted with forensic data recovery operations for customers who have had or have suspected they had insider threats within their organization.