Traditionally, the insider threat was defined as an employee with malicious intent to harm the company by stealing data or property. Sometimes even transcending the IT realm for incidents like workplace violence. But today, the most insidious form of insider threat is from people who are just irresponsible. For example, if a company issued laptop is left in the car that gets broken into, and the laptop gets stolen — that is an insider threat. The good news is that you can teach people to be responsible. In this post we will share the most common mistakes employees make that create risk, plus five quick tips that can help companies mitigate insider threats.
Types of Insider Threats
The term insider threat is broad in scope and can cover many different examples. Here in the Investigations & Recovery Services team at Absolute, we began categorizing the different scenarios in which endpoints can be at risk to be lost or stolen, and what we quickly realized was that almost all of them resulted from some insider threat.
While most of the headlines proclaim the biggest threats to an organization come from hacking and ransomware (which are undoubtedly non-malicious insider threats when an employee clicks on a link they shouldn’t have), the most likely cause of data loss is not due to malicious cybercriminals, but simple human nature.
Every year, thousands of endpoints are lost or stolen in coffee shops, bars, airports, taxis, parking lots, hotels, conferences, restaurants, subways, offices, schools, buses, and residences. Often, the endpoint is left unattended in one of these places, either intentionally or accidentally, and before the user realizes it and can return to collect their belongings, the endpoint – and the data it contains – is gone.
Physical Endpoint Protection
For this article, we will be focusing primarily on the insider threat to an organization’s physical endpoints.
We hear about employees leaving laptops in their cars all the time. They’ll cover them with a towel or something, or they’ll leave them in a backpack left on the seat.
When they return to the car, they discover that a thief has stolen it.
It’s a common scenario.
Stolen devices can quickly and easily be converted to cash by criminals, who often take it to a pawn shop, computer repair store, or a local individual who is familiar with computer basics, where the hard drive may be replaced. The facilitator may actually purchase the stolen computer from the thief and attempt to resell it to an unsuspecting customer. Stolen computers are routinely purchased by innocent third parties on eBay, Craigslist, and other apps like OfferUp. According to Statista, only about 6% of stolen electronic goods in 2017 were recovered, mainly because law enforcement rarely has any clues as to where stolen property is located.
One of the most important takeaways we can offer here is that companies need to develop policies regarding these types of threats. We see endpoints being stolen all the time, but it appears many companies don’t have enough of a policy to enforce any disciplinary actions.
Every company should have some sort of best practices guide for physical device security.
If your organization is in the healthcare industry, a stolen laptop could mean disaster, with the loss of the physical device representing the least of your worries. The loss of data and the potential leaking of personally identifiable information is the critical concern. For some, it’s not a data problem; it’s an access problem. If your organization is in education, there’s very little if any sensitive information on the laptop. But if ten laptops get stolen, ten kids won’t be able to study.
There’s a balance between meeting the need and protecting the property.
What’s Easier to Enforce?
It’s critical to compare the threat of unintentional loss of data (from phishing or not using a VPN) to the physical loss of endpoints. From my perspective, I understand the risks involved when you log on to public Wi-Fi and those types of corporate directives designed to prevent someone from hacking your connections, but those aren’t the typical stories we hear. More commonly it is someone that has logged into a Starbucks network, then they go to the bathroom for two minutes and when they return, their laptop is gone. That happens every day. We can talk about all the man-in-the-middle attacks – and it happens – but it isn’t as frequent as the physical threat to our endpoints.
It’s easier and more effective to teach someone not to leave their laptop unattended than to about Wi-Fi spoofing. More employees can relate to “don’t leave laptops where someone can grab it.”
Endpoint Security Best Practices Guide To Prevent Insider Threats
Finally, here are five quick tips for companies to follow that, if enforced, should go a long way in preventing this type of insider threat.
A quick reminder about what constitutes an endpoint: an endpoint is essentially any remote device that sends and receives communications with the network to which it’s connected. Endpoints can include:
- POS Systems
Five Quick Tips to Mitigate Insider Threats
- Many endpoints are stolen in broad daylight when they’re temporarily left unattended in a public place, even if only for a minute or two. When in public, personal belongings should be kept in sight and never left unattended. Equally important, organizations should have a policy addressing the need to protect company property like endpoints and should inform employees of the potential repercussions if the policy is negligently violated.
- Endpoints should not be left in an unoccupied vehicle. If this isn’t possible, it should be placed in the trunk or covered up completely so it can’t be seen through the car windows.
- Office creepers rely on the fact that most people are non-confrontational, so they will look for opportunities to access secure places and systems. An organization should have a sign-in system for visitors, and shouldn’t let unaccompanied visitors into the work area.
- Access to secure areas should be restricted to authorized individuals. Make sure secure doors close and latch behind you and that nobody is trailing you. If a secure door is propped open or damaged—or if you see someone or something else out of the ordinary—alert your security team immediately.
- Endpoints should not be left unattended in an unlocked meeting or conference room. Additionally, endpoints should be locked in a desk drawer or cabinet during off-hours. Thefts have been known to be committed by cleaning crews, maintenance staff, and temporary workers.
No matter what cybersecurity incident occurs in your organization, reacting in panic can create more harm, exposing your organization to further liabilities. You need a tested cyber threat response plan at-the-ready to jump into action immediately and neutralize the threat — before it takes control.
SANS Institute and Absolute have teamed up to assemble the key components you need to include when building your plan.
Watch our webinar Cyber Threat Checklist: Are You Prepared to find out the must-have items to include in a cyber-threat checklist to prevent future incidents.