How to protect sensitive cloud environments from persistent insider threats
March 13, 2019
Steve Armstrong, Regional Director of UK, Ireland, and South Africa at Bitglass, discusses the four main types of insider threats and the technology that modern financial institutions can use to defend against them
The danger posed by insider threats isn’t new, but, in the financial services industry, it’s currently at an all-time high. These types of threats are those that come from within an organisation, rather than from the outside.
According to the 2018 IBM X-Force Threat Intelligence Index, the financial services industry has been the most-attacked industry two years in a row. Of course, these aren’t all malicious acts. Many insider threats are simply careless workers failing to follow correct protocols. Unfortunately, whether there is malicious intent or not, the result is usually the same – sensitive data loss.
Cloud adoption and the rise of bring your own device (BYOD) have significantly increased the prevalence this threat by making sensitive information much more readily accessible. At the same time, the business benefits of these technologies simply cannot be ignored; consequently, they are growing in popularity even among financial institutions.
As a result, it falls to cybersecurity professionals to discover the correct way to adopt new technology and maintain data security. Unfortunately, without the correct tools, it is highly difficult to detect anomalous or careless employee behaviour in cloud-based IT environments.
As such, many financial services organisations looking to deploy these technologies must revise their approach to security – failure to do so will inevitably lead to data breaches.
Before exploring the appropriate security solutions, it’s important to understand the four most common insider threats that organisations face today.
1)The unintentional threat
As mentioned above, insider threats aren’t always malicious. While disgruntled workers clearly pose a serious threat to organisational security, careless employees can be just as problematic. In fact, the aforementioned threat intelligence analysis found that 53% of all cyberattacks in the financial sector throughout 2016 were the result of actions by inadvertent insiders.
These individuals may unintentionally compromise security by using unsecured public Wi-Fi, losing credentials, clicking on suspicious email links, misplacing their mobile device, or sharing sensitive information with unauthorised parties by mistake. Each of these mishaps offers criminals a way in that wouldn’t have existed otherwise.
2) The malicious actor
Malicious employees are individuals that intentionally set out to steal company information. The reasons for this can range from financial gain and revenge to corporate espionage. While this group is a small minority, their impact can be significant.
The reason they can cause massive amounts of damage is because they usually possess legitimate IT credentials that allow them to bypass organisational security without raising any suspicion.
If such an individual occupies a senior or administrative role, she or he may even have unfettered access to an organisation’s most sensitive information. In the case of financial services, rogue traders would also be considered malicious insiders due to their use of legitimate credentials to conduct unauthorised activity.
3)The third-party employee
Third parties are often overlooked by organisations when they are planning or amending security strategies. This is a costly mistake. Many third-party employees, such as agency contractors, operate as fully integrated members of an organisation – they are often provided with legitimate IT credentials.
They may also have detailed knowledge of internal processes and controls, making them just as knowledgeable about security procedures as a genuine employee.
4) The compromised account
Compromised credentials represent a significant danger to any organisation, acting as an open door to a wealth of sensitive information. A recent example of this is the 2018 HSBC bank data breach, where hackers used a stolen administrator account to access users’ accounts.
Breaches involving credential compromise can take a long time to uncover. From an IT perspective, it can appear as though account hijackers are simply regular users, making it challenging to detect password appropriation unless they do something particularly suspicious.
The unpredictable, stealthy nature of insider threats (combined with the highly sensitive data that every financial services organisation must protect) means that a multi-layered approach to security is essential. Below are four key areas that must all be addressed in order to achieve robust protection for cloud-based environments.
1) Identity and access management (IAM)
To defend against malicious and careless insiders, it’s imperative that organisations verify users’ identities and only grant data access to appropriate parties. Reliance upon traditional alphanumeric passwords simply isn’t adequate for protecting the highly sensitive information that is stored in most financial institutions’ cloud environments.
Instead, organisations must leverage multi-factor authentication (MFA) to add extra layers of protection. Other needed capabilities include contextual access control, which uses factors such as job function and geographic location to govern data access, as well as session management, which automatically logs inactive users out of corporate applications to prevent account hijack and unauthorized access.
2) Data loss prevention (DLP)
The use of cloud DLP allows employees to work securely – wherever they want, whenever they want, and from the devices of their choosing. A typical cloud DLP offering should include watermarking (for tracking), file and field-level encryption, redaction, and other features that help ensure sensitive data never gets into the wrong hands.
In today’s data-heavy business world, even the best security analysts can’t manually identify and analyse all of the potential threats to their cloud security, making automation an increasingly valuable tool.
Modern automation solutions employ machine learning to identify malicious or suspicious behaviour as it takes place; for example, employees accessing documents that aren’t pertinent to their jobs, or workers who suddenly, uncharacteristically download large amounts of sensitive information.
These tools learn over time, meaning that they generate fewer false positive the more that they are used; in other words, they become more accurate at spotting anomalous behaviour.
4) Security training
While technology can be a powerful way to improve data security, something as simple as employee training can also play a key role. Regular updates and refresher courses ensure data protection stays top of mind and keeps employees abreast of the latest best practices. Through discussions about the importance of defending data and the consequences of failing to do so, threats like theft and leakage can be reduced.
For financial services firms, adopting cloud technology and enabling BYOD is significantly improving business agility; however, it is also breeding concerns about the growing prevalence of insider threats.
By better understanding these threats and taking the time to formulate a robust, multi-faceted security strategy, many of these vulnerabilities can be mitigated or even eliminated entirely. In this way, the enterprise can ensure around-the-clock data protection as well as optimum business efficiency.
Ben Bulpett, EMEA Director, SailPoint, explores how organisations can safeguard against the insider threat. Today, a job is no longer for life. Job hopping, second careers and the ‘portfolio’ career are all …