Category: Insider Threats

How To Embrace and Manage Shadow IT The Right Way

Mix one part listening, two parts technology to unleash creativity and manage risk
It might sound like something out of crime drama, but Shadow IT is a common, everyday occurrence. And it has been happening in organizations (yours included) for decades. Within IT, Shadow IT can be a thorn in your side or a chance to make real business and process improvements. It’s all just how you look at it.
Shadow IT is both a risk and an opportunity and if you look at the intent behind what someone is playing out of bounds, you’ll learn something about how people work.
What is Shadow IT?
Shadow IT means when an IT or security department is kept in the dark when an employee or department makes a change to their hardware or software. It be departments installing their own software or an employee making unauthorized changes to their computer. Even employees using a new cloud service not approved by the company is Shadow IT. Anything people do outside of established policies or standard apps, is Shadow IT.
Not Just Hardware and Software
Shadow IT usually involves hardware and software, but it goes beyond that: your company’s BYOD policy can be officially unofficial Shadow IT too. When you allow people to use their own devices to connect to your network they could pose as much of a risk as installing software or hardware on a corporate desktop without permission. Any hardware, even old laptops that have been decommissioned or servers in a test environment, that finds its way onto your production network can be considered Shadow IT.
Shadow IT Risks
While there may be the odd employee who is intentionally malicious—the Equifax hack is a good example—most of the time Shadow IT isn’t malicious. People are trying to get their jobs done and see a solution that solves a problem for them, just that solution hasn’t been blessed by IT . Good intensions, but still a potential risk to the company.
Read: Have You Defined Your Insider Threats?
Shadow IT presents four broad kinds of risk to a company:

support and resources

Financial Risks
There are financial penalties for having illegal licenses, but it doesn’t end there. Large software vendors conduct regular licensing audits looking for illegal copies and fraudulent licenses. If your company has illegal licenses, there are fines and penalties to contend with. The costs of getting caught are usually more than the cost of getting a legitimate license in the first place.
Licensing is just part of the cost puzzle. Say two separate departments buy licenses for the same tool, or very similar tools, the company could be wasting money by missing out on volume purchases and negotiating a better enterprise license. Centralizing license saves money and ensures there is good oversight over security and data security—more on that in a moment.
Cost of Support
The best way for an IT organization to be successful is standardizing the tools it supports. Approving every app means not only keeping on top of licenses and supporting hundreds of apps, but also software and driver conflicts too. There is no practical way for any IT department to keep up to date on apps for a few users.
If your employees are installing software on their machines without a proper license—you could be in big trouble. And not for the (monetary) reason you’re probably thinking of first.
Security Risks
If an employee downloads a “cracked” version of Photoshop (for example)— a modified version that doesn’t require a license code to work—you can be almost certain your employee is getting Photoshop with a side of malware. Cracked versions of apps—especially expensive ones—have been tampered with by some person on the Internet. You don’t know what they did to it. You don’t know if they injected something else into the installer. Not to mention, the cracked version probably doesn’t call home to check for updates.
One person trying to save the company a few bucks, could unwittingly release a virus, ransomware, trojan horses, or network snooping tools into your company right under your nose.
We talked about security in terms of cracked apps, but there is another side of security people forget about—managing passwords and data. Imagine if people used Dropbox, Box, OneDrive, and iCloud to save and share files over the Internet. That means there could be myriad copies of sensitive documents all across the internet with little regard to access control or who might be sharing passwords. IT needs to keep company data secure and it can’t do that if employees are sharing files with people over an unrestricted number of services.
Shadow IT as a Productivity Killer
Finally there is the cost of lost productivity when little islands form around the company only able to share and communicate with a single department. For example, Marketing and Graphic Design start using Slack to collaborate, but so does Product Development—except they don’t share an account. Three departments, two Slack accounts, no sharing. Slack versus Teams or Asana versus versus Jira. All create ways to collaborate, track work, and share documents—but they don’t talk to each other very well. How does someone in Marketing share something with Product Development and IT? Whose tool do you use? No matter what, someone is going to juggle (at least) two separate tools. Not the best way to stay focused at work.
Why Shadow IT in the First Place?
Shadow IT starts with someone hitting a snag or having a little bit of frustration trying to get their job done. “It would be so much easier to share these huge files with the printer over Dropbox…” , “My team needs to get organized, I hear good things about Trello…” “I need this one pager done today and I can’t get any graphic design resources, I can do this in Canva” “I need Photoshop for this little graphic to post on social media, no way I’ll get approval to buy it, I’ll find a free version…just for this, what’s the risk?”
And Shadow IT is born.
People need to get something done and they either don’t know there is a corporate solution already or the red tape to go through official channels is too much trouble—or takes too long—to meet their deadline. No matter the rational, an employee felt it was easier to go around IT than to work with IT. Understanding why people are forging their own path is the first step to managing Shadow IT.
Managing (Not Embracing) Shadow IT
The focus of this article is to get companies to embrace the Shadow IT mindset, but not the shadow. You’ll never be able to stop it altogether. Shadow IT happens and will always happen. You don’t have to embrace it, but it’s critical you accept employees will do what they need to do to stay productive—even if it means flying in the face of IT policy. The question that needs to be answered is: How do you help people get their jobs done and keep your IT house in order? It’s the balance between rigidity following the rules and flexibility find new solutions to common tasks.
Take Dropbox, for example. You have a corporate account, so you have control over how and where documents can be shared. You set the security settings to prevent employees from sharing documents outside of the company. While this stops users signed in to the corporate account, what about the people that are using a free or personal Dropbox account? What if the CEO needs to share a document with outside legal counsel? That should be allowed, right? You have a trusted supplier for printing and graphic design, Marketing needs to share documents with them all the time. Asking permission to share documents over and over and over creates frustration and resentment. Suddenly people get fed up and use a personal Dropbox account instead.
Addressing issues like this are like the low-hanging fruit. Generally speaking, however, managing Shadow IT boils down to maintaining visibility of all these endpoints. Even if you don’t have policies in place, you can deploy software today to do all the monitoring of your environment. You can get a handle on all the cloud services used at the company—which might scare you—but it’s the essential first step to getting a handle on the situation.
Read: Three Steps To Strengthen Enterprise Endpoints
Embrace Creativity, Not Shadow IT
Every organization has people from all different cultures, companies, and countries who have great ideas they bring to the table. Maybe they started in a garage in San Jose or from the unauthorized laptop of a user that ends up being a project or product that the company eventually puts into production. I’ve seen it over and over again. What you don’t want to do is squelch peoples’ creativity and thinking. The question becomes: how do you turn that energy into something positive for the company and not a disaster in the making?
It’s tough, because unless you’re going to create a totally sandboxed environment that’s safe for people to play around in (and I recommend this), you can’t completely stop Shadow IT. Shadow IT is the spark that could lead to something great—the first company websites were often Shadow IT projects—like finding a better tool for project management or CRM or document management. People faced with a problem will find solutions. Your challenge is to embrace creativity while having the right discussions with people to bring great ideas out of the shadows and into the whole company. No matter who you are or where you fit in your organization, with the right toolset you can have visibility and understand the risks.
Learn how Absolute Application Persistence helps organizations address pressing security concerns regarding application visibility and vulnerability by downloading our Application Persistence Whitepaper.

Five Quick Tips to Help Companies Mitigate Insider Threats

Traditionally, the insider threat was defined as an employee with malicious intent to harm the company by stealing data or property. Sometimes even transcending the IT realm for incidents like workplace violence. But today, the most insidious form of insider threat is from people who are just irresponsible. For example, if a company issued laptop is left in the car that gets broken into, and the laptop gets stolen — that is an insider threat. The good news is that you can teach people to be responsible. In this post we will share the most common mistakes employees make that create risk, plus five quick tips that can help companies mitigate insider threats.
Types of Insider Threats
The term insider threat is broad in scope and can cover many different examples. Here in the Investigations & Recovery Services team at Absolute, we began categorizing the different scenarios in which endpoints can be at risk to be lost or stolen, and what we quickly realized was that almost all of them resulted from some insider threat.
Read: The Evolution of Insider Threats
While most of the headlines proclaim the biggest threats to an organization come from hacking and ransomware (which are undoubtedly non-malicious insider threats when an employee clicks on a link they shouldn’t have), the most likely cause of data loss is not due to malicious cybercriminals, but simple human nature.
Every year, thousands of endpoints are lost or stolen in coffee shops, bars, airports, taxis, parking lots, hotels, conferences, restaurants, subways, offices, schools, buses, and residences. Often, the endpoint is left unattended in one of these places, either intentionally or accidentally, and before the user realizes it and can return to collect their belongings, the endpoint – and the data it contains – is gone.
Physical Endpoint Protection
For this article, we will be focusing primarily on the insider threat to an organization’s physical endpoints.
We hear about employees leaving laptops in their cars all the time. They’ll cover them with a towel or something, or they’ll leave them in a backpack left on the seat.
When they return to the car, they discover that a thief has stolen it.
It’s a common scenario.
Stolen devices can quickly and easily be converted to cash by criminals, who often take it to a pawn shop, computer repair store, or a local individual who is familiar with computer basics, where the hard drive may be replaced. The facilitator may actually purchase the stolen computer from the thief and attempt to resell it to an unsuspecting customer. Stolen computers are routinely purchased by innocent third parties on eBay, Craigslist, and other apps like OfferUp. According to Statista, only about 6% of stolen electronic goods in 2017 were recovered, mainly because law enforcement rarely has any clues as to where stolen property is located.
One of the most important takeaways we can offer here is that companies need to develop policies regarding these types of threats. We see endpoints being stolen all the time, but it appears many companies don’t have enough of a policy to enforce any disciplinary actions.
Every company should have some sort of best practices guide for physical device security.
If your organization is in the healthcare industry, a stolen laptop could mean disaster, with the loss of the physical device representing the least of your worries. The loss of data and the potential leaking of personally identifiable information is the critical concern. For some, it’s not a data problem; it’s an access problem. If your organization is in education, there’s very little if any sensitive information on the laptop. But if ten laptops get stolen, ten kids won’t be able to study.
There’s a balance between meeting the need and protecting the property.
What’s Easier to Enforce?
It’s critical to compare the threat of unintentional loss of data (from phishing or not using a VPN) to the physical loss of endpoints. From my perspective, I understand the risks involved when you log on to public Wi-Fi and those types of corporate directives designed to prevent someone from hacking your connections, but those aren’t the typical stories we hear. More commonly it is someone that has logged into a Starbucks network, then they go to the bathroom for two minutes and when they return, their laptop is gone. That happens every day. We can talk about all the man-in-the-middle attacks – and it happens – but it isn’t as frequent as the physical threat to our endpoints.
It’s easier and more effective to teach someone not to leave their laptop unattended than to about Wi-Fi spoofing. More employees can relate to “don’t leave laptops where someone can grab it.”
Read: Have You Defined Your Insider Threats?
Endpoint Security Best Practices Guide To Prevent Insider Threats
Finally, here are five quick tips for companies to follow that, if enforced, should go a long way in preventing this type of insider threat.
A quick reminder about what constitutes an endpoint: an endpoint is essentially any remote device that sends and receives communications with the network to which it’s connected. Endpoints can include:

POS Systems

Five Quick Tips to Mitigate Insider Threats

Many endpoints are stolen in broad daylight when they’re temporarily left unattended in a public place, even if only for a minute or two. When in public, personal belongings should be kept in sight and never left unattended. Equally important, organizations should have a policy addressing the need to protect company property like endpoints and should inform employees of the potential repercussions if the policy is negligently violated.
Endpoints should not be left in an unoccupied vehicle. If this isn’t possible, it should be placed in the trunk or covered up completely so it can’t be seen through the car windows.
Office creepers rely on the fact that most people are non-confrontational, so they will look for opportunities to access secure places and systems. An organization should have a sign-in system for visitors, and shouldn’t let unaccompanied visitors into the work area.
Access to secure areas should be restricted to authorized individuals. Make sure secure doors close and latch behind you and that nobody is trailing you. If a secure door is propped open or damaged—or if you see someone or something else out of the ordinary—alert your security team immediately.
Endpoints should not be left unattended in an unlocked meeting or conference room.  Additionally, endpoints should be locked in a desk drawer or cabinet during off-hours. Thefts have been known to be committed by cleaning crews, maintenance staff, and temporary workers.

No matter what cybersecurity incident occurs in your organization, reacting in panic can create more harm, exposing your organization to further liabilities. You need a tested cyber threat response plan at-the-ready to jump into action immediately and neutralize the threat — before it takes control.
SANS Institute and Absolute have teamed up to assemble the key components you need to include when building your plan.
Watch our webinar Cyber Threat Checklist: Are You Prepared to find out the must-have items to include in a cyber-threat checklist to prevent future incidents.

Insiders: the top threat of 2018

2017 brought a deluge of ransomware attacks and data breaches that caused headlines around the world. From the classroom to the boardroom, cybercriminals made their presence known. But in 2018, companies must also turn their attention to the rapidly growing presence of insider threats.
In my recent conversations with security professionals, the discussion has moved beyond debating what potential harm insiders could cause, to actually preparing for ways to detect and respond to security incidents.
Many organizations still believe the definition of an insider threat to be along the lines of a disgruntled employee who goes rogue, or one who sells company data and information on the Dark Web. And while these definitions still hold true, we must also prepare for many additional iterations of the insider threat.
Most recently, my colleague Richard Henderson elaborated on the many faces of insider threats, noting that in many cases, these threats were not malicious in nature. Overlooking security controls on cloud sharing services, unknowingly joining hostile Wi-Fi networks, leaving workstations unlocked all qualify as a threat. To err is to be human, and mistakes happen. But while employees may not act maliciously, these actions pose serious and real risks. In fact, we know that up to 43% of all data breaches are the result of insiders either inadvertently or maliciously putting data at risk.
Outpacing Insider Threat Evolution
Insider threats will continue to evolve in 2018, and companies will need to outpace this evolution in order to protect against, and mitigate these threats. This will require a robust and evolved security strategy, but on a base level, companies need to gain visibility into their endpoint devices. It is also critical to identify potential compliance and regulatory violations, and for companies to be on alert to the movement or storage of important data – whether it be customer or proprietary data. Knowing what important information exists on your company’s endpoints allows you to better quantify, and qualify, the risks inside your organization.
If the best offense is a good defense, then ensuring visibility and protection of your endpoints should be priority number one. At Absolute, we use our position embedded in the firmware of over one billion devices to help give visibility into and control over your important data assets. Our data at-risk discovery tools give you the ability to scan endpoints for sensitive files and remotely protect or remove them from the identified endpoints before they can be ex-filtrated to external storage devices or to the cloud. Our Insider Threat Prevention solutions also help you see all endpoints on and off the corporate network, remotely delete sensitive data on compromised devices, self-heal corrupt applications and understand the risk posed by users.
For more information on how to mitigate the risk of insiders, check out our whitepaper: The Enemy Within – Insiders Are Still the Weakest Link in Your Data Security Chain.

5 Ways to Improve Insider Threat Prevention

If you browsed the latest security headlines, you’d probably think the majority of data breaches were related to hackers, political activists, malware or phishing. While the latter two hint at it, the truth is that nearly half of all data breaches can be traced back to insiders in some capacity.
While we recently examined the rising of the politically motivated insider, the truth is that most incidents are traced back to employees who are just negligent or unaware, whether it’s accidentally emailing customer data to an external party or clicking a phishing link. I was recently invited to join the Forbes Technology Council and I wrote about The Many Faces of Insider Threats where I examined the different ways an insider can create an incident within your organization. Today, let’s take a closer look at the negligent insider.
Negligent Insiders Are the Hardest to Identify
Most “mistakes” come from negligent insiders. Unfortunately, these insiders are often the hardest to identify. With no malicious intent, these employees are just trying to be productive and independent, which sometimes leads them to circumvent IT, download insecure apps or mistakenly click that phishing link. The ‘ways’ that insiders put data at risk are always changing.
A combination of education and technology is the best approach to detecting and remediating negligent user behavior. While security training is pretty standard these days for new employees, it’s not uncommon for most organizations to forget to build in reminders or to update training over time. Employees may simply forget they aren’t supposed to email data or use open Wi-Fi networks. 
Insider Threat Prevention Requires Visibility
With the explosion of cloud storage, SaaS and the growth in IoT, OT and IoT devices, there are now more ways than ever for data to be inappropriately shared, making it difficult to be 100% certain where company data and sensitive information may end up.
While I expect big things to come out of intent-based security, machine learning and AI, we don’t need to look to future technology to solve all of today’s problems with insiders. We’ll never shore up all the cracks in data security, but we can most definitely improve on the status quo.

Watch the movement of data – you need to be able to watch for the movement of critically important internal and customer data as it traverses within (and outside) your environment. Most organizations are solid on network monitoring, but lack control and visibility over data as moves onto devices or into the cloud.
Monitor for Shadow IT – look for applications and tools that have not been approved or vetted by your IT and security teams for use. While blocking all non-approved apps and tools could clamp down on productivity, it is critical to have plans in place when these apps may compromise sensitive data
Address endpoint security – ensure the physical security of your employee devices and the corporate data stored on those devices
Have a solid asset management solution – a solution gives you the capability to immediately respond to a lost or stolen device, closing the window of opportunity for an attacker to capitalize on the data or network access associated with a stolen device
Choose strong security layers – back up your asset management solution with full disk encryption, anti-virus and malware, VPN to minimize access to a device and the data it contains

Threats posed to your organization’s data aren’t always going to be malicious, but the risks they pose are serious and real. Being able to understand the multitudes of ways that data can be stolen and what those threats look like are critical to building a resilient enterprise that puts the protection of you and your customer’s data first.

Political Activists: A Powerful Insider Threat

A single person inside your organization holds the power to disrupt and cause costly damage. Up to 43% of all breaches are the result of insiders either inadvertently or maliciously putting data at risk, but it’s these privileged insiders that hold the necessary credentials and access to cause significant reputational damage. By far, the most nefarious of these insiders is the malicious insider with a strong moral, religious or political agenda.
In the past several years, we’ve heard about the rise of cyber crime syndicates and hacktivists, but these politically motivated attacks come from the outside. Here, we’re talking about attacks that originate from the privileged insider. These political activists are the latest form of insider threat – and they’re on the rise.
Political activism has been at the root of many incidents in the past and again in November’s Twitter scandal, where a single employee decided to delete President Trump’s Twitter account on their last day working at the organization. As I outlined in The Power of a Single Insider, a post I wrote for CSO Online, this incident is a harsh reminder for organizations to both understand critical points of failure and to assess current ways for monitoring the most privileged users.
The Danger of the Politically Motivated Insider
The Malicious Insider can cause a lot of damage, particularly if they are politically motivated. They already have the access and credentials to gain entry to your infrastructure and sensitive data. If their goal is politically motivated, they are going to want to spread the sensitive data far and wide, as quickly as possible.
Unfortunately, most malicious insiders aren’t often caught until the damage has been done. The scope of the damage caused by politically motivated breaches has led to Edward Snowden becoming a well-recognized name. It’s likely we’ll see more names elevated to household status until organizations rethink how to detect and prevent these kinds of insider threats.
Best Practices for Insider Threat Prevention
As with most IT scenarios, your best chance to mitigate these destructive political activists is to focus on prevention.
The best practices for improving your insider threat prevention program for malicious insiders is to:

Define acceptable baseline behavior and data access for people, based on their roles and responsibilities
Monitor for deviations in activity
Investigate noncompliant activity immediately
Invoke preemptive security measures, such as denying access or removing sensitive data from an endpoint, as soon as a potential compromise is discovered. Ideally, such actions are automated.

For most organizations, insider threat prevention often focuses on the network. Most organizations have pretty decent controls to monitor for network behavior, but once that data moves to the endpoint (whether it’s a USB drive or a mobile device), most organizations have no way to detect suspicious behavior, particularly if that endpoint moves off network.
You can invest in the best firewalls, network access controls, encryption, and SIEM technologies on the market, but your organization will still come up against the fallibility of endpoint security agents, which are inherently vulnerable. Traditional endpoint security agents can be corrupted, compromised and disabled, or simply lack the updates they need to work properly.
At Absolute, we use our privileged position embedded in the firmware of over one billion devices to help monitor your important data assets. Our data at-risk discovery tools give you the ability to scan endpoints for common or customized sensitive files and remove them from the identified endpoints before they can be ex-filtrated to external storage devices or to the cloud. Our Insider Threat Prevention solutions help you identify and remove suspicious individuals, get proactive alerts for suspicious activity, remotely delete data to remediate security incidents and solidify endpoint security protections with automatic reinstallation support.

The Evolution of Insider Threats

October is National Cyber Security Awareness Month, a global campaign run annually to raise awareness about the importance of cybersecurity. We’ve asked some of our leading security experts here at Absolute to chime in on some of the most pressing issues in cybersecurity today. In the fourth and final part of this series, we bring you a glimpse of what the future looks like for one of today’s most serious threats, the insider.  Richard Henderson, our Global Security Strategist, discusses his thoughts on how this risk will evolve and provides ideas on that to do about. You can also read last week’s Cybersecurity Awareness post, 10 Ways to Rethink Healthcare Security by Kevin Golas. 
I spend a lot of time thinking about what cyber security will look like in the future. I think about how fast things seem to be changing in our lives from every angle and if we’ll ever be able to get ahead of it all. With that in mind, and with October being Cyber Security Awareness Month, I thought I’d spend some time considering what continues to be an elusive, critical threat: the insider.
One thing worth asking is can you ever really stop every insider threat? I don’t think we’re ever going to be able to get to a world where we can stop every possibility or cover every crack or corner. No security team will ever be able to give their executive leadership categorical assurances that they’ll be able to completely eliminate threats posed by insiders. After all, we have to trust (and we *should* trust) our friends and colleagues… but sometimes that trust will be betrayed. It’s no different than what we face in our personal lives.
I sometimes need to remind myself that not all breaches are intentional or malicious: the explosion of cloud services, the exponential growth in storage and bandwidth has created a whole new world of collaborative tools and technologies… and sometimes those tools can lead to unintentional misuse or sharing of customer and internal proprietary data.  That makes me consider how new laws like the EU’s GDPR will impact organizations. When an insider unintentionally drops a huge dataset of customer data onto an unprotected AWS bucket, what will the regulatory impact be when that data is stolen or misused?
I worry about the explosion of IoT, OT and IIoT devices that are crowding our IP address space, and making it harder and harder for security teams to monitor all of the bits zipping around our networks. How much harder is it going to be to spot that key data point or log that points to an insider incident? Or worse: what if an insider decides to cause a failure in an IoT device that will have real-world kinetic impacts?
I wonder if the current data that shows rampant account sharing in many verticals including healthcare will improve? I suspect it won’t in the near-term: users just want to get their work done, and additional security controls in environments like healthcare often get in the way of providing patient care.
Changing Threat Response
That being said, I also expect to see changes in defenses to compensate: intent-based security will likely play a huge role, as will recent advances in machine learning and AI. I think some extremely risk-averse organizations may borrow a page from the Intelligence Community’s idea of “continuous evaluation.” In a nutshell, it’s the monitoring of employee data activities inside the workplace, and to a lesser extent, monitoring of life outside the office such as social media postings and public records (including police and bankruptcy records). While this opens an entirely new can of worms around privacy and snooping by employers, and likely won’t fly in places like the EU, I can see new automated tools being created and used to monitor key, privileged employees in highly sensitive roles or extremely regulated verticals.
In the same vein, I am often surprised that we don’t read more about “old school” techniques borrowed from spy thrillers – why aren’t we seeing more low level employees coerced financially (or through other means like extortion of a personal nature – compromising messages or photos, for example) to plug in a drive, click on executables, steal secrets, or provide access to key data assets.
I ask myself when every organization will treat the security of their data as one of the top risk priorities for their enterprise security teams… and that includes the executive leadership too.
Part of our future success in combating the threat of the insider is to build out a comprehensive plan from desk to server to cloud that has the ability to mitigate, detect, respond and most importantly, deter incidents by insiders. This is as much a process and procedure challenge as it is a technical one. We need to get our board and executive teams involved. They may be hesitant, or may not have a deep understanding of how catastrophic an insider attack can be, but ultimately the buck stops with them and your insider threat strategy must be integrated into your organization’s overall business strategy.
For more on mitigating the risk of insiders, read the whitepaper: The Enemy Within – Insiders Are Still the Weakest Link in Your Data Security Chain.

5 Ways to Combat the Insider Threat

October is National Cyber Security Awareness Month, a global campaign run annually to raise awareness about the importance of cybersecurity. We’ve asked some of our leading security experts here at Absolute to chime in on some of the most pressing issues in cybersecurity today. In Part 2 of this series, we bring you insight from Jo-Ann Smith, our Director of Technology Risk Management & Data Privacy, who brings extensive insight into the complexities of compliance, security architecture design and forensic analysis to enterprises. See Part 1 in this series: Fostering Digital Citizenship in Education.
Cybersecurity in the workplace is everyone’s business. Why? Because insider threats remain the top vulnerability for organizations across all industries. Up to 43% of all breaches are the result of insiders either inadvertently or maliciously putting data at risk, whether that’s clicking a phishing link, uploading files to the cloud, losing a device or the unsuspecting insider whose identity has been compromised. Insiders have the necessary credentials and access to do significant damage to your business – and most of this damage happens accidentally. A recent SANS survey found that insider threats continue to be one of the top threats organizations face and that data exfiltration is increasingly focused on user credentials and privileged account information, a situation which will inevitably lead to greater unsuspecting insider threats.  
Only true visibility and a preventive approach can unmask the insider threat and mitigate the risk. Here are the top 5 ways that organizations can protect against the most common insider threats:
1. Understand that insider threats come in all shapes and sizes. Understanding how motivation, behavior and negligence lead to insider threats can be key to mitigating these risks. Prepare programs that address the three most common types of insiders: negligent, malicious and unsuspecting.

2. Create a culture of security. The National Institute of Standards and Technology (NIST) Cybersecurity Framework states that security be a core element of an organization’s culture and services, helping create a culture that is more adaptable to the changing risk landscape. Such a culture would also support open dialogue on data risks and challenges to improve organization-wide learning about security best practices. Establishing this “tone from the top”, with executive and board buy-in to the culture of security, has been a proven differentiator in creating effective cybersecurity policies.

3. Create an risk management team and risk register that qualifies and quantifies risks for remediation and subsequent mitigating steps. The team should create KPIs and audit and report on risk levels to show status and improvement year over year.

4. Improve visibility over highly sensitive data, converging protection of physical assets and digital assets. Lack of control and visibility over data and devices prevents the enforcement of data security policies and leaves organizations with no way to detect suspicious behavior. Our recent Ponemon study found that 63% of organizations could not monitor endpoint devices when they left the corporate network. Our data at-risk discovery tools give you the ability to scan endpoints for sensitive files (even those in cloud applications) and remotely recover and delete data from at-risk devices while Reach allows organizations to execute custom discovery, compliance and remediation tasks.

5. Incorporate automation into your security strategy. Most organizations piece their security strategy together, leaving gaps that create vulnerabilities to costly attacks. Only 28% of organizations currently incorporate automation into their security strategy, costing organizations significant amounts of money and resources chasing down false security alerts and leading to delays in breach detection and remediation.

The insider is merely a means to an end when it comes to cyber attack. The question is, how to detect and deter the insider threat? For more, read our Whitepaper: The Enemy Within – Insiders Are Still the Weakest Link in Your Data Security Chain

Anthem Data Breach Implications

This week we learned another Anthem data breach is in the news – just one month after the health insurer agreed to pay $115 million to settle a class action lawsuit that stemmed from the 2015 breach that impacted nearly 80 million members and employees.
Fortunately for all involved, the new breach impacts just 18,500 of the company’s Medicare patients, a fraction of the people impacted in the 2015 incident. Initial reports say that an employee of one of Anthem’s third party contractors emailed a file containing personal health information (PHI), which included social security numbers, to his personal email. The employee has been arrested and it appears as though Anthem or the third party caught it early by taking precautionary steps with their partners to minimize the risk.
There is silver lining to what could have been a nightmare for Anthem: it’s likely the alleged thief was caught before he could abscond with far more data. As we know, Anthem provides medical insurance for millions of Americans, and if this person had been able to remain undetected for an extended period, the impact could have been catastrophic, both for Anthem and for patients.
Third party contractor risk
This incident is a good reminder for all organizations of how incredibly difficult it is to monitor the third party partners they rely on for additional services and processing. Difficult or not, it remains a critical necessity. Compliance auditing and minimum security standards (for example, requiring a solid endpoint strategy and products that can actively monitor devices for customer data) should be the ground floor for companies that deal with sensitive data, especially PHI. Which brings up another important point – this breach should be recognized within the context of GDPR which comes into full force in May, 2018.
While this particular incident appears to have been limited to a small number of American citizens, if a similar breach were to happen at another American company and the stolen data contained EU citizen data, we would likely see significant punitive penalties levied by the EU. Under the coming regulations, parties who collect the data initially are responsible for the use of customer data, even when it is handed off to a third party.
HIPPA has some very strong teeth of course, and I expect the fallout from this breach to be significant for Anthem and the processor. I do think that the relatively small number of records stolen may temper the damages to both organizations however.
If you’re collecting, storing, and handing off data, it is priority number one to ensure you know where all that data is, where it ends up, and who is using it at all times – no matter what. Identity theft through cybercrime continues to be a multi-billion dollar business for cybercriminals and those numbers are not likely to decrease.