Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

1/12/2021
10:00 AM
Mark Wojtasiak
Mark Wojtasiak
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Over-Sharer or Troublemaker? How to Identify Insider-Risk Personas

It's past time to begin charting insider risk indicators that identify risky behavior and stop it in its tracks.

You've heard that Twitter was hacked. And the CIA. And that a malicious Desjardins employee caused the largest ever data breach in the Canadian financial services sector. And how about the automobile insurance company that inadvertently gave up the driver license information for 27 million policyholders in Texas?

The thing these high-profile breaches have in common is that they were all undertaken by insiders. Whether committed on purpose for financial gain or as a a result of human error, insider risk took a hit on these powerful organizations' revenue and reputations.

Related Content:

US State Dept. Shares Insider Tips to Fight Insider Threats

How Data Breaches Affect the Enterprise

Loyal Employee...or Cybercriminal Accomplice?

Despite the growing risk, data security events caused by insiders are not being taken seriously. New research in the Code42 Data Exposure Report notes that more than half (54%) of IT security leaders spend less than 20% of their budget on insider risk, and 66% of IT security leaders say their budget for insider risk is insufficient. This is a major problem for organizations around the world as users, applications, and data continue to move outside the hardened data center and corporate perimeter as part of digital transformation policies. And, unfortunately, it's going to get worse before it gets better. In their most recent predictions, Forrester says that insider incidents will be the cause of 33% of data breaches in 2021, up from 25% in 2020.

Learn to Recognize the Personas that Pose the Greatest Insider Risk
Organizations need to lock down insider risk to data without inhibiting the user experience or creating roadblocks. This requires building a culture of trust where employees are given the benefit of the doubt and trusted to act professionally with the best interests of the organization in mind. Then, instead of monitoring every activity by every user, organizations should look at insider risk indicators (IRIs) to identify risky behavior and create actionable information to stop it in its tracks.

Here are three personas that you need to watch out for when determining insider risk across your organization:

The Over-Sharer
We all have some of these in our lives — the people from the office who are always quick to email a document to a wide distribution. Or they upload a file to a cloud service, or post sensitive information in an unauthorized application. They think they're helping by giving people quick access to valuable information, and they aren't afraid to cut corners to get the job done. Behind the scenes, you just know they are saving files to their personal devices and cloud accounts with little consideration for privacy and security protocols. These people are not malicious, just victims of poor judgment or human error. But their actions result in the same vulnerabilities from malicious actors that keep security professionals up at night.

The Guy with One Foot Out the Door
Their exact motivations could vary, but make no mistake; people who have made the decision to leave the company and take critical information with them are only looking out for themselves. This could be projects they've worked on that they'd like to save in their portfolio. A database of customers they could win over to a competitor. Or just a report with a great format that they'd like to duplicate in their new job. Regardless, the information they take with them can negatively impact your organization's ability to do business, compete fairly against competitors, and protect customer privacy. When you read about court cases involving IP theft, you can often link them to the guy with one foot out the door. 

The Troublemaker
While rare, this is among the most disruptive in the bunch. There are a few varieties of troublemakers, including a mole or insider for hire. Troublemakers are likely out to make a buck by selling corporate information. They may be engaging in some corporate espionage. Maybe they have political motivations to be disruptive or engage in sabotage. We most often see this kind of troublemaker in sectors with lucrative R&D programs – think tech, telecom, biotech or big pharma. The US government's case against Huawei is a prime example from the telecom space.

Infrequently, tech-savvy individuals, who often don't intend to do harm, want to find out how things work and may conduct their own unsponsored "security testing." Whether out of curiosity, boredom, or arrogance, they take it upon themselves to see if security controls actually work, which is likely at odds with acceptable use policies, can erroneously be seen as an attempt to test monitoring capabilities for a later exfiltration, and is a distraction for security teams. While we don’t want to dampen a curious spirit, this may not be the best outlet for their tinkering because the end result creates insider risk nonetheless.

You Don't Have to Compromise
Insider risk management doesn't have to come at the expense of productivity, innovation or collaboration. Identifying abnormal behavior and top IRIs is key to protecting the organization from both malicious and unintentional harm without disrupting operations. From the Over-Sharer to the Troublemaker, it's important that you know the personas that are putting your data and your organization at risk. 

 

Mark Wojtasiak is co-author of the book Inside Jobs: Why Insider Risk is the Biggest Cyber Threat You Can't Ignore, vice president of portfolio marketing for Code42, and frequent cybersecurity blog contributor. In his role at Code42, he leads the market research, competitive ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-23381
PUBLISHED: 2021-04-18
This affects all versions of package killing. If attacker-controlled user input is given, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.
CVE-2021-23374
PUBLISHED: 2021-04-18
This affects all versions of package ps-visitor. If attacker-controlled user input is given to the kill function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.
CVE-2021-23375
PUBLISHED: 2021-04-18
This affects all versions of package psnode. If attacker-controlled user input is given to the kill function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.
CVE-2021-23376
PUBLISHED: 2021-04-18
This affects all versions of package ffmpegdotjs. If attacker-controlled user input is given to the trimvideo function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.
CVE-2021-23377
PUBLISHED: 2021-04-18
This affects all versions of package onion-oled-js. If attacker-controlled user input is given to the scroll function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.