There are constantly evolving threats to enterprise cyber security with many coming from external threat actors. Likewise insider threats also pose a growing problem. Security professionals are constantly being warned about insider threats.
In the A10 Networks AIR report earlier this year, almost half (48 percent) of IT leaders say that employees do not care about corporate security practices. With companies aware of the issue, what are enterprises doing to fight back against these threats and why is it such a major concern?
How big is the problem of insider threats?
The simple answer is very big. While cyber threats present a big issue to many companies, many can be dealt with by using the appropriate solutions and by training employees. To tackle insider threats, managers and IT leaders need to take an entirely different approach. This can vary depending on the business environment.
Insider threats can be classified into two distinct groups: the malicious, criminal employee and the unknowing, or ill-informed employee. Each group has to be approached in different way. Identifying which employee falls into which group is not simple. Employers have to figure out what has motivated some staff to act in a malicious way, whilst identifying them from the clumsy employees.
There are many reasons why an employee might look to sabotage a business. These include a grudge over a bad personal assessment, peer or management conflicts, differing ideological views or pressure from an outside force. Identifying a motive can be difficult but desire alone will not give such employees a chance to act. There needs to be opportunity. This is where those in-charge can work to prevent sabotage.
Often opportunities occur simply by that employee having increased or existing access to sensitive information. It is important that managers ensure that employees only have access to the minimum data required for their role.
Some employees will look for other opportunities. They might use social engineering to get access to the security credentials of another employee. This allows them to access the network as if they were another employee. It also allows them access to a wider set of data.
A change in employee behavior could be a warning sign. These include arriving early, leaving after everyone else, recent changes in access, frequency of downloads or failed login request from a users’ system. Any and all of these could be a sign of an ulterior motive and are good places to start when trying to identify malicious employees in the business. Behaviour is the key and it is important to determine the behaviour patterns of individuals, whether it be done with technology, physical apparatus or digital monitoring tools.
Did I do that?
A different approach is needed when dealing with the unknowing or ill-informed employee. The cyber threat from this group can come from many places but it all stems from one issue: they do not realise they are a risk. The simple solution to this problem is to properly educate staff, and not just the IT department but the entire business. These risks can come from any department.
88 percent of IT heads say that employees need better education on the best security practices. Many companies are doing more to educate employees. However, the AIR report revealed that 29 percent of IT professionals noted a lack of corporate commitment to policies and enforcement. Policies and enforcement is not ‘nice to haves’. They provide a structure for cyber security education. While it is easy to blame employees, enterprises also need to do more.
Password policies are a good example of where more can be done. The AIR report shows that password policies are communicated to employees through email reminders (66 percent), employee orientation (50 percent), internal meetings (48 percent), and communication from a manager (44 percent). Email reminders are highlighted here as the main way of communication. This is not an effective solution. Employees are often overwhelmed by emails and there is every risk that employees will overlook those related to security.
The solution is simple. Direct communication with staff and more workshops around cybersecurity can help bring these issues to the forefront of employees and make them more aware. When in a workshop they are not distracted with other tasks and are therefore focused on security training.
Many organisations have made regular password changes mandatory. This is not enough. If passwords are still being used they need to be strong and reuse prevented. Adding two-step authentication strengthens security. All of this needs to be enforced to ensure employees follow policies.
Weak passwords are not the most pressing issue regarding insider threats. The use of unverified or insecure apps brings the risk of unauthorised access to the network. With Bring Your Own Device (BYOD), employees increasingly use their personal devices for work. These devices are connected to the network which turns them into a gateway for hackers. Mobile apps can also contain malware which can then affected other devices on the network.
To tackle this issue, organisations should be clear as to what hardware and software can and cannot be used in the office. If an employee wants to install new software on a corporate device they need permission from an admin. For BYOD, the use of virtual environments for work can also be used which can also restrict what software a user installs.
Is there hope?
Always. Although almost a quarter of IT decision-makers think there will be no improvement in security behavior at their company, 75 percent are more optimistic. Cybersecurity is increasingly becoming more mainstream in the business world and enterprises are increasing the amount of resources available to security teams.
Much of the emphasis is on external threats and malware. Insider threats don’t tend to get as much focus. As more organisations take notice, hopefully this will change. Getting the balance between having a warm, open working environment vs. a police state-esque look and feel is not easy, but with correct training and observation of employee behaviour there is hope for enterprises to deal with insider threats.
A10 Networks (NYSE: ATEN) is a provider of intelligent and automated cybersecurity solutions, providing a portfolio of high-performance secure application solutions that enable intelligent automation with machine learning to ensure business critical applications are protected, reliable and always available. Founded in 2004, A10 Networks is based in San Jose, Calif., and serves customers in more than 80 countries with offices worldwide. For more information, visit: www.a10networks.com and @A10Networks