Like what you see so far?

Sign up for our newsletter and get great content delivered straight to your inbox.

Posted February 20, 2019 in Security

Insiders are Alive and Well and After Your Data

According to the new 2019 Scalar Security Study, 67% of Canadian IT and security professionals identified malicious insiders as a top cybersecurity concern. While it’s easy to grasp the threat posed by outsiders, organizations frequently overlook the damage that can be caused by a single employee with the right access.

You probably wouldn’t hand over confidential business plans to your summer intern or drop a payroll file in the office lunchroom for every employee to peruse on their coffee break. Yet every day, in companies across the country, businesses leave valuable information wide open by giving employees access to far too much information they need to do their jobs. In fact, Varonis found that 41% of companies had at least 1,000 sensitive files open to all employees.

Any criminal needs a motive, means and opportunity. Insiders are no different. Some are driven by money or revenge. They may simply want to expose secrets. To complicate matters, today’s employees are tech-savvy — they can easily search a file server to find interesting or confidential information. Personal email and cloud storage make copying or moving stolen files quick and easy.

It’s extremely difficult or even impossible to identify an employee who is intent on actively compromising your organization. Instead, look for these signs that a malicious insider is operating with your organization:

  • Unusual activity: While your employees may make a habit of working in the middle of the night, on weekends and during holidays, if their work patterns suddenly change you have every reason to be suspicious. An outsider could be posing as an insider by using an employee’s account to log in, or an insider could be snooping around on your file stores when no one is likely to be watching.
  • Network “Ghosts”: Ghosts are user accounts belonging to former employees that can still access your network. Former employees, especially those who parted on bad terms, may try to log back into company systems, either out of curiosity or to do damage by copying, deleting, or altering files.
  • Suspicious access. Searching for, viewing, or copying data that is not relevant to an employee’s job are all signs of possible insider activity. Employees may steal a few files at a time in an attempt to go unnoticed. Employees may also snoop around in open corporate email accounts – including executive emails – and try to hide their actions by marking viewed messages as “unread.”
  • Saving or printing large amounts of information. If an employee leaves your company, they may try to take their files with them – perhaps thinking that since they did the work, it belongs to them. Or they could be looking to profit by selling insider information.

Keep in mind that insiders are not always responsible – an outside attacker can steal employee credentials. In any case, you must lock down your employee data, intellectual property, client lists and other vital information you wouldn’t want walking out the door. Perform regular audits of file access rights to pinpoint users that have access to files they don’t need to do their jobs. Monitor user activity, and keep sensitive customer data off their servers. Consider policies prohibiting, for example, the use of personal email on work devices. Ultimately, it’s about gaining control of your data before you lose control.

Did you enjoy this article?

Read more Security blogs here