CSAM: Safeguarding Clients Against Insider Betrayals (and Mistakes)
In the second part of our National Cybersecurity Awareness Month series, Colin Knox offers two key tips to help you prevent insider attacks and police data and systems access.
We’re two weeks into National Cybersecurity Awareness Month. Last week, Brandon Shopp focused on the fundamentals of protecting your systems against cybercriminals. However, not all threats come from external sources—many breaches begin with employees or contractors. Today, I want to clue you in on some worrying issues with insiders by offering two important safety tips.
- Employees and contractors can leave with sinister motives. Plan ahead for when they’re gone.
Imagine this scenario—a team member starts having financial difficulties at home. They’re private about personal issues, so you’re unaware of the problem. They lose focus, and their work begins to suffer. Unfortunately, you have to let them go after a few months. Feeling aggrieved, and despite no previous indication of criminal behavior, this employee decides to log into their old account and start “helping themselves” to your organization’s data. Soon, this data ends up getting sold on the Dark Web for a profit. What could you have done to prevent this?
Of course, you can reduce insider breach risks a little by performing background checks on employees. But sometimes, good employees—contract or full-time—go bad. You need to plan for these unfortunate potential events.
For starters, have an offboarding plan ready for when people leave. For each new hire, keep an inventory of company equipment you give them so you can recover those materials when they leave. Have them turn in all keys so they can’t access the building. Also, train employees to make sure everyone in the building is accompanied or watched at all times unless they’re a current employee. Even if an employee left on good terms, you never know their intentions. They could walk by, find an unlocked laptop, and go to town.
Beyond physical security, you’ll need to revoke access to accounts and sensitive data. Get a good access- management-rights tool to make sure you can shut down account access fast when someone leaves. This also speaks to your overall access rights strategy. As businesses grow, it’s common for people to retain access to old systems or data—for example, a developer working on the billing system could move to working on the front end—yet still keep their rights to the billing system. Audit access rights regularly to keep employees from attaining excessive permissions. If they steal data or end up getting compromised, you’ll hopefully reduce the potential damage. Again, a good access rights management tool can help you audit access rights and help ensure employees retain privileges on a “need-to-use” basis.
A final bit of advice—don’t make exceptions to these rules. Even if someone leaves amicably, still take steps to prevent potential threats, just in case. Most people are honest, but it only takes one bad apple to spoil your whole organization.
- Don’t let imposters change the locks. Verify identities before a password reset.
Not all insider threats are malicious—they can come from mistakes or negligence as well. In a study from SolarWinds, conducted in partnership with IDC research, 62% of businesses found insider mistakes were the leading cause of security incidents. This could come from copying data to insecure devices, accidentally emailing protected information to people, or creating weak passwords.
In particular, this last point on passwords warrants some discussion. Most people have dozens of passwords, so it’s common for even security professionals to re-use passwords or create weaker, easy-to-remember passwords. The problem is, just one bad password could lead to a cybercriminal gaining a foothold—then igniting a chain reaction of mayhem across your organization.
To combat this, hold security trainings with your team and make sure to frequently remind them of what they learned. Make sure they know not to re-use credentials across accounts and avoid writing passwords anywhere that could be visible. You could either suggest they use a password manager, or you could adopt one for your own organization to enforce these best practices.
Additionally, before anyone attempts to reset a password, make sure to verify their identity. At a minimum, enable multifactor authentication (MFA) for password resets. For employees who leave, if you keep their accounts around, don’t stop at changing credentials—disconnect any recovery email accounts or phone numbers as well. You don’t want someone worming their way back in with a personal email account. This practice also helps protect against external threat actors. For high-risk employees, consider implementing a policy that requires you to ask them directly if they requested the password reset. This adds extra protection for accounts with sensitive data access, like system administrators or executives, while keeping most employees from having to jump through additional, inconvenient hoops.
The threat is coming from inside the business
The biggest security headlines typically come from major, widespread attacks, like WannaCry, BadRabbit, Spectre, or Meltdown. But as we found in our research, insiders play major roles in breaches. As much as you try to protect against the latest external threat du jour, you still need to focus on your own internal security. There’s no need to be paranoid—just a few common-sense security controls can help prevent insider attacks.