Insider Threat: Save Your Own Goal Post

One of the critical challenges faced by any Chief Information Security Officer (CISO) or Security head is the insider threat. An insider threat could be an employee, former employee, contractual employee, third-party partner, robot, or any form of AI system that has access to critical data and IT systems, and therefore could cause harm to the business. Notable cybersecurity Original Equipment Manufacturers (OEMs) and other researchers say that more than 50% of cyber issues are linked to insider threats.

Insider threats can be managed by the combination of policies, procedures, and technologies that help minimize privilege misuse or critical data being breached. In the same vein, Sujoy Brahmachari, CIO and CISO, Rosmerta Technologies Ltd shares a comprehensive security blueprint on guarding organisations against insider threat.

How to minimize the risk of insider threats:

• Enterprise-wide risk assessments: Conduct assessments to understand critical assets, their vulnerabilities, and the threats that could affect them. Prioritize closing the issues found in the assessments, including various sensitive assets that can pose insider threats.
• Document and enforce policies and controls: Ensure configurations are tightly done and maintain documentation for security solutions. Collaborate with the Chief Information Officer (CIO) team to create and enforce policies such as data classification and protection, incident response, third-party access, account management, user monitoring, and password management. All policies must be approved by management, clearly stating actions and penalties for violations.
• Establish physical security: Outsource to a professional physical security company that strictly follows security policies. Implement strong access control in data centers and network rooms. Define a high-security area where devices like cell phones and smartwatches are restricted.
• Implement security solutions: Deploy minimum solutions such as endpoint protection systems, intrusion prevention/detection systems, active directory, web filtering solutions, traffic monitoring/spam filter systems, privileged access management systems, Zero Trust (ZT) based VPN solutions, encryption and mobile device management solutions, and password management policies with at least two-factor authentication. Consider having a Security Operations Center (SOC) for real-time monitoring.
• Harden network perimeter security: Configure firewalls properly, blacklist unnecessary hosts and ports, and whitelist only those needed. Create a Demilitarized Zone (DMZ) and segment the network into VLANs. Enable shadowing with video cameras and session screen-capture technology for monitoring critical facilities and privileged user activities.
• Enforce segregation of duties and least privilege: Create policies requiring authorization from two users for copying data to removable media and approval from two system administrators for critical data deletion or configuration changes. Deploy role-based access controls and configure Group Policy to restrict unnecessary access.
• Carefully recycle old hardware: Before discarding, erase all information from disk drives to make data unrecoverable. Destroy hard disks and devices containing critical information. Assign specific IT personnel to control this process.
• Use log correlation and SIEM systems: Monitor critical logs, audit employee actions, and keep logs for multiple years. Implement log management and change auditing software for enterprise-wide visibility. Conduct periodic audits of systems and processes.
• Implement secure backup, archiving, and recovery processes: Establish secure file and mailbox archiving, implement a backup system, and create a backup policy. Develop a disaster recovery plan based on business impact analysis and consider third-party risk assessments for outsourced backup and recovery processes.
• Respond promptly to suspicious behavior: Monitor and respond to suspicious behavior in real-time. Control remote access and implement User Behavior Analytics (UBA) technology with SIEM for efficient detection of bad actors.
• Define explicit security agreements with service providers: Especially regarding access restrictions and monitoring capabilities. Conduct a risk assessment to ensure service providers pose an acceptable level of risk and comply with your organization's security practices.
• Include insider threat awareness in periodic security training: Provide security awareness training to all employees and service partners before granting access to IT systems. Test employees against social engineering attacks and encourage reporting of security issues. Consider offering rewards for adherence to security best practices.