Ransomware, misinformation campaigns and attacks on critical infrastructure are the cyberthreats getting the most focus today. The attention is fitting. NotPetya ran up a world-wide damage bill of $10 billion. Daily, Facebook reports the detection and removal of accounts linked to foreign-influence campaigns. It is widely believed that attackers have infiltrated electric grids. None of these concerns should cause us to lose focus on one of the root causes of all security incidents and data breaches — negligent insiders.
What is a Negligent Insider
Insiders are employees, partners, contractors and other third parties who have legitimate access to networks. Malicious insiders are those who take advantage of their access to steal data and cause harm. Negligent insiders are those who have no bad intentions but make errors that subject their organizations to security events. Each class of user is regarded as an insider threat.
While the total dollar amount of all damages caused by negligent insiders isn’t fully known. In addition to the aforementioned NotPetya sum, several estimates say that negligent insider cases are costing public and private sector organizations up to $283,000 per occurrence, annually.
Examples of Damages Caused by Negligent Insider Threats
Negligent insiders put their organizations at risk by making errors. They respond to phishing emails, visit risky websites, and store and share data without any controls. There are several recent examples of security incidents caused in whole or in part by negligent insider behaviors:
- The indictment the United States Department of Justice (DOJ) issued this month against North Korean citizen Park Jin Hyok (Park) indicates he took advantage of negligent insiders via phishing attacks. These allowed him to pull off WannaCry 2.0, the theft of $81 million from Bangladesh Bank in 2016, and the 2014 Sony hack.
- The United States Federal Bureau of Investigations (FBI) reported in July that Business Email Compromise (BEC) scams, fueled by phishing, have caused organisations to lose more than $12 billion.
- Noted security researcher and journalist Brian Krebs recently wrote about two human-driven configuration errors that led to breaches in August and September.
- This year, assessments we conducted revealed an increase in the number of times negligent insiders were exposing data openly on the web, with no protections whatsoever.
How to Mitigate the Problem
The damage from the negligent insider threat is real. Organisations need to develop mitigation strategies to lower the risk. Here are four steps they can take:
- Expand visibility, respect privacy. Organizations need to understand what their partners, customers, employees, and other third-party insiders are doing. There are a wide range of technologies available that any company can choose from that will provide the visibility and intelligence needed to spot risky trends before they spiral out of control. Gaining visibility over environments no longer requires intrusive monitoring practices that violate regulations such as the GDPR. Screen-shot captures, key-stroke logging and other invasive tactics just aren’t needed any more. Today’s advanced intelligence tools illuminate risky activities while shielding insider identities by using data anonymization capabilities.
- Enable alerts. Many organizations have technologies deployed designed to sound the alarm when risky activities are in play. Many “early warnings” end up being false positives, leading to alert fatigue. Effective alerts are powered by technologies that understand behavioral context. These technologies know when events are normal or anomalies. And, they know what the intentions of the people behind the monitored actions are.
- Teach, teach, teach. Organizations that want to defend their insiders against attacks and reduce the number of risky moves insiders make need to provide training and tools that can deliver “teachable” moments. Studies suggest that with education, humans can reduce their susceptibility rates to attacks and scams significantly. Several of our customers, including Williams Martini Racing, use the intelligence provided by Dtex to educate their employees on the importance of data protection and policy adherence. A practice the company says reduces risk even further.
- Be open. Any organization that wants to protect its insiders against attackers and their own mistakes has to implement behavior and activity monitoring technologies. The common perception held by many security and risk teams is that such tools should be kept under wraps, so as not to compromise security operations. This isn’t the case. We’ve found in example after example, including Williams, that organizations which are open about monitoring activities have a greater level of success. It is worth noting that a recent survey we conducted with the Harris Poll showed that employees will support monitoring when it is conducted with transparency.
Dtex Systems is a leader in user behavior intelligence used by Global 2000 companies to turn employees into trusted insiders and to detect insider threats. The Dtex Systems Advanced User Behavior Intelligence Platform provides customers with complete visibility over user behaviors and activities taking place on endpoints that are on and off the network. The Dtex lightweight endpoint metadata collectors are highly scalable, easy to deploy, require no maintenance, and have near-zero impact on endpoint and user performance. Dtex filters out all non-essential “noise” to create a high-fidelity data stream that indicates exactly when risky activities and behaviors are taking place. Machine learning and advanced analytics are applied to the data at the server to convert it into user behavior intelligence that provides accurate alerts and road maps showing where insider threats exist. Patented anonymization capabilities, privacy-by-design architecture and meta data collection protects user privacy and helps customers to comply with the GDPR and other privacy regulations.