Although cybersecurity has traditionally focused on keeping the bad actors out of an organization’s IT resources, it is important not to overlook the threats posed by insiders. An employee might sell sensitive data to a competitor, engage in cyber vandalism as a form of revenge or take other actions to harm the organization and its data. The insider cybersecurity threat is vast and complex--including accidental and purposeful breaches--but here are five things you can do now to keep the organization safe.
1. Limit the Blast Radius
The single most important thing that you can do to mitigate insider cybersecurity threats in your organization is to take steps to minimize the damage that a rogue user could potentially do. This is often referred to as “limiting the blast radius.”
At a bare minimum, organizations should seek to adopt a least privilege access policy, whereby users only have access to the bare minimum resources that are required in order for them to do their job. While it’s easy to focus your attention solely on end users, it’s important to remember that the members of the IT department pose the greatest threat of all. As such, organizations should use role-based access control (RBAC) to segregate administrative responsibilities. Doing so greatly limits the amount of damage that any one single administrator could do if he or she went rogue or if their account became compromised.
2. Adopt a Data Loss Prevention Solution
Another important step in mitigating insider threats is to adopt a data loss prevention (DLP) tool. DLP tools come in a variety of forms, but they are all designed to prevent sensitive data from leaving your network. For example, DLP might be used to monitor outbound emails to see if they contain sensitive information. This goes way beyond attachment filtering. A DLP tool would typically analyze the text in an outbound message looking for patterns that match those of known sensitive data types. If a pattern match is found, then the message can be blocked or even silently redirected to the HR department.
To give you a more concrete example, consider the Social Security Numbers used in the United States. Social Security Numbers consist of three digits, a dash, two digits, another dash, and four more digits. If an email is found to contain a number that adheres to this format, then that number is most likely a Social Security Number. Of course Social Security Numbers are only one example of a number that matches a particular pattern. The same basic concept also applies to credit cards, ABA routing numbers and bank account numbers.
Incidentally, if your organization uses Microsoft 365, then you may already have a DLP solution available for use (depending on your subscription level). Microsoft’s DLP solution is found in the Microsoft 365 Compliance Center, as shown in Figure 1.
This is the DLP solution that is integrated into Microsoft 365
3. Disable Removable Storage
Another thing that organizations can do to help prevent insider cybersecurity threats is to configure Windows in a way that disallows the use of removable storage. That way, a user will be unable to plug in a USB storage device and use that device as a way of stealing sensitive information or injecting malware into the system.
You can disable removable storage at the Group Policy level. Simply go to Computer Configuration | Administrative Templates | System | Removable Storage Access, and enable the policy setting All Removable Storage Classes: Deny All Access. You can see what this looks like in Figure 2.
You can use Group Policy settings to prevent the use of removable storage.
4. Encrypt Everything
Storage encryption can go a long way toward mitigating insider cybersecurity threats. If someone steals a backup tape or exports a copy of a virtual machine, encryption may prevent the person from being able to read it from outside of the organization--thereby rendering the data useless.
One of the best things that you can do to mitigate insider cybersecurity threats is to make what you are doing known--loudly and clearly. I’ve lost count of the number of times that friends or family members have asked me to what degree their employers can see what they do online. This goes to show that users are often unsure as to what, if any, monitoring capabilities their employers have implemented.
Organizations should consider adopting an activity monitoring solution that will log user activity and take periodic screen captures to go along with it. Once such a solution is in place, be sure to let your users know about it. Knowing that the organization is tracking absolutely everything done online can serve as a powerful deterrent to insider threats.
As you can see, there are numerous things that an organization can do in an effort to mitigate insider cybersecurity threats. These techniques help organizations counter intentional malicious activity, but they also can limit the damage caused by an accidentally compromised account or a malware infection.