Top 10 Tips on How to Avoid Damage From Insider Threats

Insider threats to enterprise IT systems are the top worry for many CISOs. The perfect recipe for insider cyber-crime combines financial stress with easy access to corporate data and a host of online black market outlets ready to turn information into cash. To effectively address cyber-crime like this, enterprises should use an inside-out security approach that monitors events and suspicious behaviors across their entire computing infrastructure. Prioritizing key assets that store information is the key to providing the necessary level of security to prevent, detect and respond to insider cyber-crime. This eWEEK slide show on avoiding damage from insider threats is based on industry information from Isaac Kohen, founder and CEO of Teramind, which monitors employees with an insider-threat prevention platform that detects, records and prevents malicious user behavior.

Every company has sensitive data, whether it’s financial information, customer lists or other IP. Management must make it clear what data must be protected. A good exercise is to ask, “If X data is compromised, what would be the worst-case scenario?”

It is important to know what data employees usually access and their typical user behavior pattern in the office. For example, monitoring activities such as file transfers, website visits and cloud uploads can give an employer insight to abnormal behavior when it occurs.

Organizations should not have weak enforcement of their data policies. For employees to understand the severity of data compromises, data policies need to be updated, enforced and shared within the organization regularly. And, if data does leave the organization, encryption can prevent it from being compromised. 

Most employers educate their employees about malware, viruses and cyber-attacks. However, employees must learn they can compromise data also by sharing unnecessary information with other employees within the company. They need to know there may be employees with malicious intent, or that other employees can compromise data accidentally.

Blocking all access isn’t efficient for employee productivity. By implementing user behavior monitoring and a risk-score system, employers can identify their highest-risk users. For example, an employer could assign a higher risk score to an employee who isn’t in sales but is constantly accessing customer details. 

Double authentication can help ensure employees aren’t using the credentials of other employees to access data. All critical systems should be managed via privileged access management so the organization can know who changed preferences, rules or access within the system.

Simply knowing about an insider threat isn’t enough—once the data is out, it’s gone. It is critical to catch the action while it is occurring and prevent the data from leaving your organization.

If an organization uses third-party vendors to manage any of its IT systems, it should implement the same type of monitoring tools for each third-party vendor as well. The ideal tools should allow visibility into any changes and log-ins made into the organization’s systems.

If organizations keep proper data about employee file access, they can go back and see if their implemented insider-threat policies completely protect their sensitive information. Reassessing policies and creating additional rules based on aggregated data are important in a successful long-term insider-threat policy.

Proactive policies are similar to automation; however, it’s important to consider the actual proactive measures. Do you want to lock the user out or do you want to prohibit the action and alert the employee? Organizations must decide how strict they want their proactive policies to be, as each offers alternative user consequences.