August 17, 2016
I am in the middle of my second week here at Mimecast and am excited to focus on all things security. The timing of my arrival is good as we just released important new data around malicious insiders. Here’s my take on the topic …
There’s nothing worse than being hit with a surprise attack from behind – especially by a previously trusted person. In the military, surprise rearguard actions can be very effective for the attacker and very debilitating for the defender. In a sense, cyberattacks from malicious insiders are a form of a digital rearguard action.
Today, most IT security defenses are set up to defend against external attackers, be they cybercriminals in search of money, nation states pursuing strategic advantage, or hacktivists with a politically driven agenda. And, this allocation of resources does make some sense, as most attacks do come from outside the organization – but not all. Attacks also do come from the inside. And, these attacks, when originated by trusted insiders, have proven to be extremely damaging.
In one recent example, this past July a Citibank IT engineer was sentenced to 21 months in prison for using his administrative access to wipe out nine of the company’s network routers, bringing down 90% of Citibank’s network. In Mimecast’s new survey 45% of respondents picked “Malicious Insider Attack” as their number-one perceived security vulnerability. Clearly, this is an area deserving greater focus.
Your security program needs to be based in reality. You need to honestly assess both the trustworthiness of your insiders, the amount of damage they could reasonably do if they had both the motivation and opportunity, and how much security controls can be applied given the culture and practices of the organization. Reasonable controls for malicious insiders need to be put in place to reduce the business risk to an acceptable level.
Most security programs don’t sufficiently factor in controls for the malicious insider. This is unfortunate as there are some basic ones which are cost-effective and also helpful when it comes to protecting against malicious insiders and even those who are non-malicious insiders, as well as external attackers.
Here are four tips to help reduce the risk of a malicious insider attack:
- Use role-based access management, in particular on critical systems and for highly privileged users, such as IT administrators. This approach limits the ability of malicious actors to do damage.
- Don’t make it easy for the malicious insider to steal your data. Monitor and block the movement of sensitive data outside the organization via email, ftp, and via the web.
- Train employees – regularly. The more eyes you have on this area of risk the better. Help your team understand that “if they see something, say something.”
- Update your incident response plan to include how to guard against and respond to malicious activities by insiders. This will definitely need to involve more than just your IT and Security departments – include HR, legal and PR.