It won't come as a surprise to anyone working in corporate IT that not all security threats come from unknown hackers in Russia or Indonesia (or the USA, for that matter). It's also necessary to protect from threats posed by trusted sources who are handed everyday access to the network, such as employees and vendors. A report issued today, "The Secure Access Threat Report 2017," by Bomgar, a company specializing in secure access control, indicates that insider and third-party access are growing security threats facing enterprise IT systems.
You'd think folks would be battening down the hatches a bit, given the press attention after 40 million Target customers had their credit card information compromised during the 2013 Christmas shopping season, when hackers were let in the back door by way of a trusted vendor. That breach ended up costing Target $202 million in legal fees and other costs, and just last month the retail chain agreed to shell out an additional $18.5 million in a settlement with 47 states and the District of Columbia.
Evidently, some people aren't playing attention. According to IT and security people "with oversight of who connects to their organization's network" who participated in the Bomgar study, 52 percent said they expect a breach within a year, with 15 percent indicating a breach has already occurred. Those aren't odds to instill confidence.
In the study, "insider threats" are defined as threats coming from "employees, or people acting as an employee," which includes freelancers and on-premises contractors. In the survey, 67 percent thought this group -- whether acting with malicious or unintentional intent -- represented their organization's greatest security threat.
The trouble with employees is that, as part of the family, organizations want to trust them, and pretty much do. The report indicates that 90 percent of security professionals trust their employees overall -- but only 41 percent trust them completely. The lack of trust generally stems not from any concerns that an employee would maliciously attack the system, but that they pose an unintentional risk.
"It only takes one employee to leave an organization vulnerable," said Bomgar's CEO, Matt Dircks. "With the continuation of high-profile data breaches, many of which were caused by compromised privileged access and credentials, it’s crucial that organizations control, manage, and monitor privileged access to their networks to mitigate that risk."
The biggest threat from insiders doesn't come from phishing expeditions -- employees are evidently aware of the dangers of clicking on email attachments and the like -- but from circumventing existing security rules. According to the survey, employees are most likely to jeopardize network security by staying logged on, downloading data onto an external memory stick or drive, sending files to personal email accounts, logging on over unsecured WiFi, writing down passwords and telling colleagues their passwords.
"Generally, employees want to be productive and responsible at work," the report says. "But these two are not always complementary goals. When workers are faced with security measures that seemingly hinder their efficiency, they’ll use shortcuts without considering the risks. What’s gained in a few minutes of extra productivity then opens the door to threats. And while some privileged access management solutions address such bad behavior, many don’t go far enough."
Disturbingly, only 37 percent of those surveyed are confident they even know which employees have elevated access and 33 percent believe that some of their ex-employees might still have access to the network.
Things get even more disturbing when looking at "outsider threats," which are defined as threats posed by "vendors or suppliers granted access to business systems, including outsourcers." At the average company, 181 outside vendors access the network every week, up over 100 percent from last year's 89. And although two-thirds of the security professionals surveyed think they trust outside vendors too much, 55 percent assign only a single employee to manage third-party access rights.
There are special problems associated with granting third party rights, such as "fourth party" risk. It seems that your vendors might hire subcontractors who will then have access to your network. Not good. The good news here is that two-thirds of the companies included in the study are now limiting vendor access to specific systems or applications.
"As with insiders, a ‘least privilege’ policy, in which a user can access only the information or resources necessary to their function, is the best practice," the authors of the report advise. "Access rights need to be more than a simple yes or no. Similarly, to combat the growing ‘fourth party’ risk, security professionals should ensure they are able to track and monitor individual users even if they’re leveraging secured, shared credentials."