A single person inside your organization holds the power to disrupt and cause costly damage. Up to 43% of all breaches are the result of insiders either inadvertently or maliciously putting data at risk, but it’s these privileged insiders that hold the necessary credentials and access to cause significant reputational damage. By far, the most nefarious of these insiders is the malicious insider with a strong moral, religious or political agenda.
In the past several years, we’ve heard about the rise of cyber crime syndicates and hacktivists, but these politically motivated attacks come from the outside. Here, we’re talking about attacks that originate from the privileged insider. These political activists are the latest form of insider threat – and they’re on the rise.
Political activism has been at the root of many incidents in the past and again in November’s Twitter scandal, where a single employee decided to delete President Trump’s Twitter account on their last day working at the organization. As I outlined in The Power of a Single Insider, a post I wrote for CSO Online, this incident is a harsh reminder for organizations to both understand critical points of failure and to assess current ways for monitoring the most privileged users.
The Danger of the Politically Motivated Insider
The Malicious Insider can cause a lot of damage, particularly if they are politically motivated. They already have the access and credentials to gain entry to your infrastructure and sensitive data. If their goal is politically motivated, they are going to want to spread the sensitive data far and wide, as quickly as possible.
Unfortunately, most malicious insiders aren’t often caught until the damage has been done. The scope of the damage caused by politically motivated breaches has led to Edward Snowden becoming a well-recognized name. It’s likely we’ll see more names elevated to household status until organizations rethink how to detect and prevent these kinds of insider threats.
Best Practices for Insider Threat Prevention
As with most IT scenarios, your best chance to mitigate these destructive political activists is to focus on prevention.
The best practices for improving your insider threat prevention program for malicious insiders is to:
- Define acceptable baseline behavior and data access for people, based on their roles and responsibilities
- Monitor for deviations in activity
- Investigate noncompliant activity immediately
- Invoke preemptive security measures, such as denying access or removing sensitive data from an endpoint, as soon as a potential compromise is discovered. Ideally, such actions are automated.
For most organizations, insider threat prevention often focuses on the network. Most organizations have pretty decent controls to monitor for network behavior, but once that data moves to the endpoint (whether it’s a USB drive or a mobile device), most organizations have no way to detect suspicious behavior, particularly if that endpoint moves off network.
You can invest in the best firewalls, network access controls, encryption, and SIEM technologies on the market, but your organization will still come up against the fallibility of endpoint security agents, which are inherently vulnerable. Traditional endpoint security agents can be corrupted, compromised and disabled, or simply lack the updates they need to work properly.
At Absolute, we use our privileged position embedded in the firmware of over one billion devices to help monitor your important data assets. Our data at-risk discovery tools give you the ability to scan endpoints for common or customized sensitive files and remove them from the identified endpoints before they can be ex-filtrated to external storage devices or to the cloud. Our Insider Threat Prevention solutions help you identify and remove suspicious individuals, get proactive alerts for suspicious activity, remotely delete data to remediate security incidents and solidify endpoint security protections with automatic reinstallation support.