One of the most common causes of data loss in organizations is also one of the most difficult to defend against.
That’s the uncomfortable truth about the so-called insider threat. Any data loss that can be traced back to a trusted actor with access to a network or database can be attributed to insiders.
This attribution isn’t always foolproof. Though it is possible that some large-scale data incidents, such as the one that affected financial institutions like Fidelity and Asiaciti Trust in 2021, could be the work of insiders, it can’t be conclusively proven as such. (These organizations have seen no evidence of digital intrusion; it should be noted.) And this is partly due to the fact that insiders’ motives aren’t always clear. Some are disgruntled while others are simply careless.
Yet it’s possible to identify and prevent many instances of data loss or theft attributable to insiders. These six best practices can help.
- Follow the Principle of Least Necessary Permissions
The principle of least necessary permissions is also known as the principle of least privilege. The idea is simple: that anyone with access to sensitive networks and data should have only those permissions which they absolutely need to do their jobs.
Permissions naturally increase with seniority and job function, but your organization should never find itself granting access unnecessarily. It’s easier to restrict access and curtail permissions in the first place than to take them away later on.
- Monitor Network User Behavior in Real-Time
Everyone who uses your network should be subject to real-time monitoring — and should know it too. This is true for the most junior data entry specialist and the network architect themselves. It’s nothing personal; it’s just that your data is too important not to keep watch.
Your organization should have the capability to monitor network activity as well. It’s not always apparent when an unauthorized intrusion occurs, as theft of existing credentials is just one possible entry point.
- Look for Suspicious Patterns of Activity Among Trusted Users
Your relentless network monitoring has a higher purpose: to spot suspicious patterns of activity among users. Such patterns might include:
- Accessing the network remotely in the middle of the night
- Accessing the network from your organization’s physical premises after hours
- Accessing the network using an unfamiliar IP address or proxy
- Attempting to retrieve or modify data that the user typically doesn’t need to perform their role
- Uploading files to the network or transmitting data without authorization
These activities can and often do have innocent explanations. But they bear watching and may warrant further investigation.
- Watch the Watchers
Your digital security team doesn’t get a free pass. It’s arguably even more important for you to watch the watchers, so to speak — to make sure the users who likely have near-unfettered access to your networks aren’t causing your organization harm.
Remember no exceptions. Seasoned IT professionals expect to be monitored, and you might not want those that protest working for you anyway.
- Strictly Limit Third Party Access
Every organization works with third parties, be they independent contractors, professional services providers, or software vendors. These third parties will inevitably need some degree of access to your organization’s network, especially if they’ve been hired on in a data-related role.
It goes without saying that you should follow the principle of least privilege with third-party users as well. But you should go further and effectively deny access to any third parties that aren’t explicitly permitted to access your network. You can do this with an IP whitelist that denies access to unauthorized endpoints, even if they have the proper credentials.
- Develop Policies to Protect Unsuspecting Insiders
Not all insider threats are malicious. Some arise out of incompetence or ignorance. It’s your organization’s job to protect these non-malicious insiders from themselves by implementing device control policies and reinforcing basic principles of data hygiene, encryption, email security, and more. Your goal should be simple: to prevent unintentional data loss due to insider activity.
The Insider Threat Is Real
As the large-scale events like the one that ensnared Asiaciti Trust and other financial institutions last year show, the threat can be very real.
These best practices can help prevent instances of insider data theft and reduce the fallout from incidents that can’t be prevented. But they only work when they’re implemented consistently across the organization’s entire digital footprint. Unfortunately, we don’t have the luxury of picking and choosing the vulnerabilities we address.