Research has shown that the majority of malicious insider attacks are caused by disgruntled employees and employees who plan to leave the company because of expected layoffs or to take a new job. And even if there isn't an employee with a grudge, users fall prey to phishing attacks and click on malicious links on social networking sites that lead to breaches. The human element is truly the most difficult to secure.
The first step when it comes to securing people is to establish well-defined, easy-to-understand policies. Unfortunately, from my experience with numerous security architecture and policy reviews, many companies fail at this. Policies tend to be long, complicated, and difficult for the average employee to read and understand. The result is that employees either read the policy and don't follow it because they didn't get it, or they just don't bother to read it.
Don't create policies simply to check off an item on an audit or compliance list. Instead, give your employees direction on expected behaviors and requirements, and explicitly define prohibited activities. Make sure your policies address hiring practices, such as background checks; data handling and classification; acceptable use of company resources; security awareness; and training.
Put in place data classification policies and practices that define what systems are allowed to store particular types of data, how that data can be transmitted over the network, any requirement for encryption, and if it can be stored on mobile devices and removable media. Employees who work with sensitive data and systems that store this data should be updated regularly on data classification policies.
Training is critical if you want employees to adhere to policies. Resources available to help companies create training programs include the SANS Institute's Securing The Human Program and the Offensive Security team's Corporate Security Awareness Training. And InformationWeek's "Security: Get Users To Care" report has practical tips on getting employees to buy in to corporate security policies.
Physical security is often overlooked when considering how to prevent insider attacks, but theft is a crime of opportunity. You want to monitor sensitive locations and limit employees' access to them to reduce that opportunity.
Shut The Door
Preventing insider threats requires that you watch out for technological exploits and also constantly monitor human behavior. That's a tough combination, particularly when insiders have access to sensitive data. The key is understanding the attacks, the possible motivations, and the primary areas where controls can be most effective. Start by identifying and prioritizing the information you need to protect and then add or expand technological controls where appropriate on your network and host systems.
And don't forget the human factor. Write policies that people can understand and follow. Train employees in safe computing habits. And be vigilant in monitoring user activity.
A layered approach using security controls at the network, host, and human levels will go a long way toward mitigating insider threats. As the 2012 Verizon report says that for the third year in a row, nearly all internal breaches were a result of "deliberate and malicious actions." To truly close the door on insider threats, your security efforts must be just as deliberate.
