While most cyberattacks are external in origin, the most costly ones are the ones that come from within, according to Rob Rachwald, senior director of research for FireEye, who spoke at the Interop conference in New York this week.
Rachwald defined an insider threat as what happens when "someone who has trust and access acquires intellectual property in excess of acceptable business requirements." That can happen maliciously -- an employee straight-up stealing data -- or accidentally, or a person can even be infected. But if it does happen, it's costly, with an average of $412,000 in cost to enterprises per insider-related incident.
"The main thing here is deterrence," Rachwald says. "You can't predict who's going to go rogue. you want to focus on deterrence. And remember, while less than 1% of your employees may be malicious insiders, 100% have the chance to be accidental insiders."
Rachwald identified 3 practices that can help companies mitigate the danger from these kinds of attack:
- Work closely with legal and HR. "You create a bunch of scary procedures so people comply," Rachwald says. He used the example of a bank that, immediately following termination of an employee, got a letter from legal detailing what data the company knew the employee had access to and explained that the employee would be the target of an investigation if that data ended up outside the organization. Rachwald also recommends reviewing contracts with IT partners and working with them around e-mail and social use to prevent leaks from their end.
HR is similar to legal, but not exactly the same, Rachwald notes. "The No. 1 thing is onboarding and offboarding. Working with them to do background checks. Then in the process of offboarding, HR can identify if there was any sort of weird behavior taking place," he says. "The other area is around training. We saw a large manufacturer who would do very large security training sessions in conjunction with HR. They spent half the time explaining how to make your family more secure at home, and then how to make the company more secure later." That added value is credited with driving more engagement with best practices, he said.
- Leverage analytics to scale your security team to the enterprise. Rachwald recommends embedding information security personnel in each line of business within an organization. "Small companies do a centralized model overseeing security, but the largest companies use an embedded security personnel approach," he says. "Security works with the line of business, finding out who has access to what, then recognize key events: job changes like terminations being an obvious one."
Rachwald also says companies should lock down admins and super users and develop a separate policy.
"Today, Sharepoint admins are having a lot of fun with their admin privileges, looking at all sorts of salary information," he says. "When people go rogue, its unpredictable, but they way they do is predictable. Bradley Manning, for example, wrote a short script that downloaded things out of Sharepoint. Map your threats."
- Focus on education. In addition to the manufacturing example from above, Rachwald says it's useful to just be clear to your employees that they are being scrutinized. In addition, build an environment where it's clear security is taken seriously.
"Identify examples of data breaches in the industry, then put them in a newsletter," he says You can do something like that about twice a year. People also tend to go to the usual news sites for understanding what's going on in terms of insider threats.
This is also a role for automation, Rachwald adds: "You put in basic controls, then decide what has to be automated. That can include online training on fraud prevention."