How to Mitigate Insider Threats: Strategies for Small Businesses
Most conversations about cybersecurity focus on external threats – hackers and cybercriminals who use malware, ransomware, and viruses to break into the organization and steal data or cripple operations. But what about risks that originate from within the company? How can you protect your business from rogue employees, vendors or suppliers that already have access to your systems and data?
In this post, we’ll take a closer look at insider threats – what they are, how to identify them, and the steps you can take to better protect your business from this serious threat.
What is an Insider Threat?
An insider threat is a cybersecurity risk that originates with a person inside the organization. This could be a current or former employee, vendor, contractor, freelance employee, or anyone who has access to the company’s computer network, systems, or data.
Insider threats can be broken down into two main categories based on the intention of the person responsible:
- Malicious: A threat in which a person actively and deliberately tries to do the company harm. Usually, these attacks are motivated by financial gain or revenge. For example, a sales associate who believes they were treated unfairly may steal a list of sales leads and either use that information personally in a new role or sell it to a competitor.
- Negligent: A threat in which an individual unintentionally creates a security risk through carelessness or poor judgment. Common examples of negligent insider threats include: losing or misplacing a company device; ignoring computer security update notifications; accessing or discussing sensitive data in public places; and failing to verify the identities of facility visitors. Though these actions are not intentional, the consequences can be just as serious as those of a malicious actor.
Why Are Insider Threats Difficult to Detect?
Insider threats are among the most difficult cybersecurity threats to detect and prevent. This is due to two main reasons:
- Most security tools and solutions are focused on identifying and preventing external threats. They are not designed to detect suspicious behavior from approved users.
- Many inside actors are familiar with the organization’s network settings, security policies and procedures, making it easier for them to avoid detection. They may also have knowledge of vulnerabilities, gaps or other shortcomings that can be exploited.
3 Common Insider Threats for SMB
Insider threats can originate with any number of people. In this section we take a closer look at how insider threats may manifest within a business.
1. Negligent or Disengaged Employees
Human error is a common denominator in many cybersecurity attacks, including insider attacks.
As noted above, a negligent insider threat is one that occurs due to human error, carelessness, or manipulation. Since these threats do not involve people acting in bad faith, virtually anyone – even the company’s leaders – can be the source of an attack if they inadvertently share sensitive data, use weak passwords, install unapproved apps, misplace confidential materials, or fall victim to a social engineering attack.
Negligent insider incidents are usually part of a larger cyberattack, which may involve malware, ransomware, or phishing. Many of these attacks prey on human emotion, and frame requests to reset passwords or send important files with a sense of urgency and authority to increase the likelihood that the individual will respond. While these techniques may seem obvious after the fact, it is important to remember that cybercriminals are very good at what they do and highly persistent. They will work tirelessly until they find a weak link to exploit.
2. Malicious Activity
As noted above, a malicious insider attack is a planned event that is usually led by a disgruntled current or former employee. In many cases, these incidents are part of broader and deeper criminal activity, such as fraud, espionage, or data theft. While a malicious insider can work alone, they may also be something of a victim themselves, since many are the subject of a blackmail or extortion campaign carried out by a cyber terrorist group, foreign government agency, or other hostile entity.
Malicious insider threats commonly involve:
- Sharing, selling, changing, or deleting confidential data or sensitive information
- Misusing or sharing system access or login credentials
- Altering the IT environment to allow others to enter or dwell undetected
While any company can fall victim to a malicious insider, this is somewhat less common in the small business sector, since the workforce tends to be smaller and more closely integrated than in larger organizations. This can make it easier to identify warning signs or unusual activity, such as unsubstantiated requests for access to certain systems or files, which may go unnoticed in larger organizations since many IT managers are not familiar with the roles and responsibilities of every employee. That said, preventing malicious threats is an important consideration, especially if your business handles customer data, including health records or financial information, or has important trade secrets or IP that requires a high level of protection.
3. Third-Party Vendors
Another common risk for small businesses lies in their third-party network. Companies that outsource common tasks and functions, such as accounting, administration, IT, or even custodial services may inadvertently introduce a new level of risk, since those people have access to company data, networks, and services as part of their job.
In addition, since contractors, freelancers, vendors or partners often are not subject to the same training and development programs to help them identify and prevent risks, this may further increase the possibility of a negligent insider attack. Finally, people in the organization’s extended network, may be more likely to act maliciously if they are not invested in the company’s success and/or think that their efforts will go undetected as a non-traditional employee.
How Can Small Businesses Mitigate Insider Threats?
Protecting the business against insider threats is an important part of every cybersecurity strategy. Here we review some specific steps companies can take to reduce the risk of an insider threat.
Instill a Culture of Cybersecurity Awareness and Prioritization
Because many insider threats within small businesses are actually due to negligence, one of the most effective ways to combat this issue is by creating a culture of cybersecurity awareness. This will not only help people reduce the likelihood of common errors and irresponsible behaviors personally, but also help them identify malicious activity in others. There are 4 ways to do it:
1. Provide Comprehensive Cybersecurity Training for Employees
Creating a culture of cybersecurity begins with education. People cannot protect themselves or the business from risks they aren’t aware of. To that end, companies should develop a robust training program that helps people adhere to the company’s security policies and identify risky activity.
The cybersecurity training program should include the following elements:
- Understanding common cybersecurity threats, such as malware, phishing and other social engineering attacks.
- Preventing password attacks and credential theft by setting strong, complex passwords that are difficult to guess or crack and changing them regularly.
- Protecting data from loss, theft or misuse through encryption and by conducting regular back-ups.
- Protecting mobile devices – including personal devices – by installing and updating security tools provided by the organization.
- Outlining guidelines for acceptable social media activity on company devices and when using a corporate network. This helps reduce the risk of social engineering attacks, since many cybercriminals gather information via social media to carry out informed, personalized attacks.
- Developing customizable training modules and lessons that are tailored to specific audiences, such as managers, IT staff, remote workers, and vendors, suppliers, and contractors.
2. Establish and Enforce Cybersecurity Policies
So much of the employee training program will be guided by what the organization considers safe and acceptable use. To that end, another important part of creating a culture of security is establishing and enforcing the company’s cybersecurity policies. Some policies may include:
- Documenting the software, programs, and internet sources that are whitelisted, or approved for use, by employees within the organization.
- Developing clear guidelines for how, when and where employees and vendors can use corporate devices or corporate networks, as well as personal devices on corporate networks and for professional purposes.
- Establishing clear protocols for how to manage and use sensitive data, as well as the steps that should be taken when sharing such data, even inside the organization.
- Explicitly stating activities that are strictly prohibited. For example, the company should almost always have a policy against installing unlicensed or unapproved software or apps.
- Creating a remote work policy that includes the steps the individual must take to secure their personal network and all personal devices using the same network, including those used by family members and any household device that uses Internet of Things (IoT) technology.
3. Adopt Incentive Programs for Cybersecurity Awareness
For some businesses, it may be helpful to incentivize adherence to cybersecurity policies by offering small rewards for completing trainings, passing quizzes, following proper protocols in the event of a simulated attack, or reporting suspicious behavior. “Gamifying” security in this way, helps create a more engaging culture of security and also helps ensure security remains top-of-mind for employees.
4. Implementing a Strict Off-Boarding Process
Since many malicious insider threats originate with former employees, it is important to take fast action to terminate employee accounts and access as soon as an individual leaves the company. This should significantly reduce any risk imposed by disgruntled or departed employees.
As part of the off-boarding process, it may also be wise to inform others within the organization not to communicate with this person about business matters. For example, a former employee may reach out to former teammates and ask them to reactivate an account so that they can gather files or emails to serve as work samples or obtain personal files they may have accidentally left behind. Current employees should not respond to such requests and should forward them to a manager or supervisor to resolve. Under no circumstances should a former employee’s account be reinstated or reactivated, even at the request of a senior official.
Be Proactive in Monitoring
As with many cyberattacks, it is vital to identify insider threats as early as possible. High-tech monitoring tools, which use artificial intelligence (AI) and machine learning (ML), can help companies detect early warning signs of an attack based on deviations from standard use patterns.
While monitoring tools can be a great asset for companies, they require significant time and attention to properly configure and calibrate. For that reason, it is important to work with a trusted cybersecurity partner to identify the optimal tools and technologies based on the company’s needs and implement those tools within the business correctly.
1. Quickly Identify and Prioritize Events
Another action your cybersecurity partner can help with is prioritizing response efforts to events. While some indicators – such as frequent log-ins after hours – can be the sign of a malicious insider at work, it can just as easily be due to the employee preparing for an important meeting or working unusual hours due to personal circumstances, like a sick child.
To that end, some cybersecurity vendors can help clients create individual risk scores for employees. This takes a broad range of factors into consideration, such as their role, online activity, level of access and more, to determine how much of a risk each person poses to the business. This is extremely helpful when it comes to prioritizing investigation and response efforts for insider threats.
2. Pay Attention to Insider Threat Indicators
One of the most effective ways to reduce the risk of insider attacks is to monitor employee behavior for known threat indicators. Some red flags include:
- Using a new, unapproved personal device, such as a phone or laptop, without coordinating with IT
- Submitting requests to access drives, documents, or applications that the employee did not need previously
- Showing new or unusual interest in the company’s security tools, policies, or procedures
- Working odd or unusual hours, either remotely or on-site
- Contributing to surges in network traffic that may indicate a data download or transfer
Maintain Good IT Hygiene
Finally, as with other attack types, practicing strong IT hygiene goes a long way towards protecting the business from insider threats and deterring would-be bad actors in the first place.
1. Continuously Back Up Data
Since data breaches can significantly disrupt business operations, it is important to regularly back up all sensitive data and critical systems to ensure continuity in the event of an attack.
Organizations that have significant data stores can work with their cybersecurity partner to develop a customized data loss prevention (DLP) program. DLP is part of the company’s overall security strategy that focuses on detecting and preventing the loss, leaks, or misuse of data by any means, including by way of an insider.
2. Limit Access to Sensitive Data
Employees should only have access to the data and systems needed to perform their jobs. As a general rule, organizations should provide the lowest level of access when the person is onboarded and add privileges only as needed. It is also important to regularly evaluate an employee’s access rights and remove any that are no longer needed in the person’s role. This not only limits the ability to steal or misuse data, but, in the event of a breach or attack, it narrows the pool of accounts that need to be investigated.
3. Frequently Update Software to Prevent Attackers from Exploiting Vulnerabilities
Another hugely effective way of keeping the organization safe from cyberattacks of all kinds is by keeping all operating systems and software updated. This not only protects devices, systems and networks outright, but also limits vulnerabilities that attackers may try to utilize in a breach.
While IT teams should follow specific protocols and schedules for updating and patching software, this is not information that needs to be shared with the workforce at large. In fact, it is wise to keep the organization’s update plans, as well as their security measures limited only to those who are responsible for addressing those tasks or issues.
Prioritize Employee Satisfaction
Since many small businesses may not have the budget to invest in specific insider threat detection tools and services, one of the most important ways to protect the business is by fostering a positive, engaging work environment.
When employees feel supported and respected, it is far less likely that they will want to actively harm the company. Further, when they feel invested in the company’s future, they are more likely to take steps to help fuel the company’s growth and protect it from malicious activity.
While companies cannot guarantee a positive experience for every person, there are some clear steps they can take to help create a more fair and equitable work environment. This may include:
- Hosting one or more formal performance review cycles
- Set regular, 1:1 meetings between all employees and their manager to identify issues and create a culture of accountability
- Establishing clear channels where employees can raise concerns and issues without fear of retaliation
- Encourage employees to take vacation days and holidays
- Work with employees to help them establish boundaries to provide a healthy work-life balance
Ready to try CrowdStrike? Start a free, 15-day trail of Falcon Pro and protect your business from ransomware, malware, and other sophisticated cyberattacks