Insider Threats Thrive on the Gaps Between People, Process and Technology

Insider threats are climbing up the security agenda. IBM’s recently published 2015 Cyber Security Intelligence Index found that over half of data breaches are caused by insiders. And with insider threats underpinned by access to trusted credentials, they are difficult for security professionals to combat effectively.

In popular thinking, insider threats are more often than not perceived to be malicious in intent, along the lines of the Snowden case. However, according to IBM’s recent report, over 95% of insider threats are actually caused by human error. So while covert plotters are not to be dismissed, the true insider threat is the result of careless or uninformed behaviour.

A wide variety of IDaM and access control solutions are available, so the challenge is not driven by a gap in security vendors’ portfolios. But there is clearly a missing ingredient that is allowing the insider threat to persist to the extent that it does. In PAC’s view, as is often the case for IT challenges, the answer lies somewhere between the human and the technical sides of the equation.

Fundamental to the issue is a lack of basic ‘security hygiene’ awareness. Despite the succession of high-profile security breaches, simple elements of best practice are being flouted. Perhaps most infamously, the Sony Pictures breach of December 2014 revealed that (at least) one employee stored their passwords in a folder titled ‘passwords’.

So what can be done about the problem? As is often the case for IT security, context is increasingly seen as part of the solution. For example, when PAC met up with user security specialist IS Decisions this week to discuss its UserLock product, contextual insights featured just as prominently as Active Directory control.

As well as simply preventing and/or creating alerts for unwanted or unusual behaviour, UserLock monitors and logs activity in real time. This insight is then presented back to administrators and security professionals through a central portal. With a configurable dashboard that identifies and prioritises events based on client-specific risk characteristics, responses can be planned based on the level of threat..

In PAC’s view, just as important as providing the insight into suspicious behaviour is how this insight is acted upon. Providers such as Symantec, which offers its own analytics-based threat protection solution (leveraging its massive ‘global intelligence network’ of telemetry), aim to support customers in building awareness among the users. Unsuspecting insider threats can be identified, and remedial steps such as training and coaching can be taken.

No matter how stringent the technologies and processes a company adopts, users may be unaware of the risk involved in their behaviour. For example, sharing login credentials with a colleague or opening a link in an email may seem innocuous to the uninitiated, but potentially expose the organisation to significant risk. It is clear that technologies exist to help prevent and even remediate these risks. But prevention is better than cure, and here a human touch is required.