11 Steps to Prevent Insider Threats Using IAM
Many organizations are still neglecting the insider threat, despite this threat source being recognized as one of the root causes of data beaches.
By Stuart Beattie, Product Marketing Director, Omada | October 2018
11 Steps to Prevent Insider Threats Using IAM
Insider threats cover a wide array of cyberattacks initiated by somebody inside the traditional security perimeter enforced by firewalls and intrusion prevention systems. Many organizations are still neglecting the insider threat, despite this threat source being recognized as one of the root causes of data beaches. Read our tips for preventing insider threats and keeping your organization secure.
Insider threats cover a wide array of cyberattacks caused by somebody who already has access to systems on the inside of the traditional security perimeter. While external attacks are nearly always intentional, insider attacks can be both intentional and unintentional. Insider attacks can be the result of an accident or negligence, an unintentional error, compromised credentials, or current or former disgruntled employees deliberately attacking the company. Insider threats are therefore most commonly carried out by careless or negligent employees or contractors, criminal or malicious insiders, or credential thieves.
Insider threat still neglected
Organizations tend to be better at providing protection against external cybersecurity threats than internal threats according to reports, and many organizations are therefore still neglecting the insider threat, despite this threat source being recognized as one of the root causes of data beaches
The insider threat can be prevented, but to do so, organizations need to be better at being in control of what employees have access to, why they need that level of access, and who assigned it to them. You need to know your joiners and leavers, and those transferring within the organization. The combination of these, means you always have an overview of the access to the systems and applications your organization uses which will help keep potential security holes closed. This will enable you to act quickly, if a data breach does happen, which is also crucial in the wake of GDPR.
How the insider threat differs from the external threat
Unlike external hackers, insiders do not need to infiltrate the perimeter defences such as firewalls and intrusion prevention systems.
The insider threat could be anyone who has (or has had) access to the system, such as full-time employees, contractors, the overnight security guard, or those who have left but still have active accounts.
The damage could be caused by accidental access if someone happened to come across some information that they probably should not have done, negligence where an insider failed to adhere to policies that were in place to prevent them from accessing sensitive data, or malicious intent when somebody actively set out to steal data or bring down systems.
11 steps to help prevent insider threats, using identity and access management:
- Determine the different motives that an insider could have. These could include stealing personal data or intellectual property, or vandalism with the intent of destroying company records or bringing down business critical systems such as the company’s online store or CRM system
- Determine which systems are the most valuable to the insider and therefore the most likely to be targeted. The most desirable targets are usually those systems which contain intellectual property or privacy data, or that are key to keeping the business up and running
- Work with the business system owners across all divisions and departments to classify the data stored on their systems based on the sensitivity, such as privacy data and company confidential
- Establish who has access to these critical systems
- Decide who should have access to these system
- Audit each system individually to ensure that the desired state of access (i.e. who should be granted access and at what level) and the actual state of access (i.e. who really has access) are aligned
- Establish defined roles for employees so that the ongoing management of business-critical systems can be maintained based on the levels of data classification. Ensure that all individuals who have access to the business systems only have the required access they need to perform their duties within the organization
- Define procedures to revoke access rights that are no longer needed when an insider moves roles or leaves the company. This will prevent an undesired escalation of privilege where a user account has more access than required which could leave critical business systems unnecessarily open to attack
- Monitor and manage who has access to privileged accounts by integrating your identity and access management software and processes with a privileged access management
- Define a procedure to quickly lock out a user from all systems if a breach has been suspected to prevent the insider from doing more damage, and use the system features such as the emergency lockout feature to ensure the damage is contained
- Educate employees, contractors, and other insiders and have defined policies and procedures in employee handbooks and contractor contracts
Protecting critical assets against insider threats is a balancing act between locking down systems so employees and other insiders cannot get access to information outside of their remit and allowing users sufficient access so that they can do their jobs unhindered. Implementing a robust identity and access management solution combined with rigorous enforcement of policies and procedures will ensure that business operations are able to continue without exposing the company to unnecessary risk.
Identity and access management can help your organization keep insider threats at bay. Find out much more about how you can bring your identity management and access governance to match you evolving needs or get in touch with us to learn more about how we have helped organizations like yours.
Omada Product Marketing Director, Stuart Beattie has over the past 22 years advised organizations in finance, telecom, manufacturing, healthcare, and government on their cybersecurity deployments. He has held roles in technical support, presales, and product marketing working with a wide variety of technologies including firewalls, intrusion prevention systems, desktop security, penetration testers, network forensics, and identity management.
He has a BSc in Computing with German from Bolton University, and an MBA in Technology Management from Imperial College London.