Insider Threats in 2020: Discussing a Persistent Part of the Threat Landscape
In our 2020 SaaS security risks post, insider risks were listed as part of our anticipated threat landscape for this year. Our prediction has been borne out by research in 2020 indicating that insider threats have been on the rise and that many organizations lack the tools to address them. Given the prevalence of insider threats, we wanted to talk about their significance and what makes them so dangerous, as well as how COVID-19 may be worsening the impacts of these threats.
What are insider threats and what makes them so dangerous for organizations?
Insider threat refers to a security risk or security incident that originates within the target organization. There are many sources of insider threat—employees, contractors, or other assets available to the organization. The circumstances surrounding particular incidents involving insider threats can be varied and complex, making it difficult to put in place catch-all policies and solutions towards preventing and stopping every single insider threat. Generally, though, insider threat is considered to stem from at least one from the following causes:
- Motivated malicious insiders who are either working alone or with an external collaborator to exfiltrate data or damage systems.
- Unintentional insider threats that stem from non-malicious individuals. This can happen through social engineering or other actions taken by malicious external actors designed to compromise internal accounts. Alternatively, the insider can fail to do something that would improve the security of their accounts without being manipulated (i.e. failing to properly lock and store a device containing sensitive information). Finally, sometimes these incidents happen because of mistakes like sending an email with sensitive information to the wrong party or as a result of taking shortcuts like sharing passwords over mediums like Slack instead of using a password manager.
- System misconfigurations or vulnerabilities that lead to incidents. Sometimes the systems used within organizations are either poorly configured or contain vulnerabilities that can exacerbate the consequences of insider threats. For example, consider that in 2018 researchers found that 80% of the AWS S3 buckets they discovered contained readable files. This is likely a result of poor permissioning within some organizations’ AWS environments. While misconfigurations or undiscovered vulnerabilities don’t by themselves lead to incidents of insider threats, they can perfectly set the stage for such scenarios. They may also be the result of employee or contractor error.
What makes insider threats challenging to deal with is the variability of causes associated with these types of threats. This can make it harder to prevent, let alone anticipate insider threats. As the costs of breaches, including insider threats, increase the stakes for addressing this problem couldn’t be higher. Despite this, security teams that conduct recurring security threat assessments can determine which causes of insider threats are most likely within their own organizations, allowing them to focus on mitigating those unique risks specifically.
Will COVID-19 worsen insider threats?
Although it’s too early to tell how COVID-19 will ultimately impact the organizational risks associated with insider threats, it’s undeniable that the pandemic has created new opportunities for these to occur. It’s worth covering these new opportunities, though, because even if they may not immediately actualize into risks for your organization they may help you anticipate future threats. Below are some of the scenarios worth considering.
State actors and other hackers targeting employees through coordinated phishing attacks
Experts are noting that the coronavirus pandemic has contributed to a record number of cyberattacks. The bulk of which appear to be phishing campaigns targeting both workers and consumers. Given the always-on nature of SaaS tools as well the possibility that while at home workers might be using their personal devices to access business-critical information, the risk of insider threat incidents is now extending beyond the traditional business data parameters. Teaching employees proper security hygiene will have benefits for helping them secure both their own machines and work devices.
Security misconfigurations may lead to data exposure (intentionally or otherwise)
The rapid adoption of collaborative cloud tools might result in organizations failing to put cloud security first. What this will look like may vary from application to application, though it may commonly take the form of poor permissions controls in environments like Confluence or Slack. It may also involve sharing information in channels where it may not belong as well. For instance, if an employee were to accidentally share a private Zoom meeting in a public Slack channel, without protections in place there’d be no way to remediate this. Similarly, for a malicious insider, such environments would be low-hanging fruit for them should they desire to harm your organization.
Preventing insider threats
While insider threats pose a persistent security challenge, with the right combination of tools and resources they can be properly addressed. None of these on their own should be thought of as a silver bullet, but as a mesh that will support your overall security program.
Conduct proper threat assessments
As we mentioned briefly above, during your security threat assessments, you should be able to determine which of the causes of insider threat are most applicable to your organization’s particular IT environments, as each of these causes would be best addressed through different means. Unintentional insider threat risk, for example, is usually addressed through training, like phishing tests. Alternatively, malicious insider risk is addressed through the implementation of stricter security controls. These assessments will form the basis of the information needed to build a full insider threat program.
Build clear data governance policies
As we’ve stated before, poor data governance is a severe security risk for organizations. Not having a good understanding of what data governance policies are suitable for your organization will make it harder to educate employees about security best practices and understand the controls you need to implement in order to address risks like insider threats. If you already have a data governance policy in place, we’ve written a post about three considerations that will help you manage a remote workforce. These include:
- Building a strong security culture among your employees by codifying security policies into employee handbooks and other resources like security training libraries.
- Standardizing the tools and devices your organization will use while maintaining the flexibility to adopt vetted technologies that might not have been formally sanctioned by IT.
- Ensuring that you have appropriate visibility into your organization’s most sensitive assets, like business-critical data in SaaS or IaaS environments with a tool like cloud data loss prevention (DLP), for example.
Nightfall is the industry’s first cloud-native DLP platform that discovers, classifies, and protects data with workflows and remediation tools. Nightfall is designed to work with popular SaaS applications like Slack as well as IaaS platforms like AWS and repositories like GitHub. You can schedule a demo with us below to see the Nightfall platform in action.