And what do I mean by that? Well… Let’s first look at Permissions Management. When someone joins your company, how are they provisioned? How many steps or processes does your company have to go through onboard a new employee?

Let’s say you have a new starter; we’ll call him Peter… Peter is starting a new role in finance. HR set Peter up with his contract, Finance set him up on Payroll. HR then asks IT to provision Peter with access. IT asks ‘What access does Peter need?’ Who do they ask? Do they ask HR or do they ask Peters Line Manager. Who IS Peters Line Manager… HR go back to IT and tell them that Peters Line Manager is Lynn in Finance. IT call or email Lynn and ask what access Peter needs… Does Lynn even know the answer to this?

Much of the time the answer is something along the lines of ‘Give him the same permissions as Sue. Sue has been in Finance for ages and is doing something kind of similar so she will have all the right access that Peter needs!’ THIS ACTUALLY HAPPENS!!

And what about when an employee moves from one department to another? Rarely do they have access removed, why? Because it’s too difficult! Also, IT are usually the last to be told when an employee is leaving the company, meaning that they have full access until they leave and in some instances… Even AFTER they leave! With the mix or on-site and remote working becoming the NEW NORM this point is more important than ever.

The theme is very similar with temporary and contracting staff being assigned open ended permissions with no cut off date. With remote working fast becoming the new norm for many businesses, ensuring you have a tight grip on permissions has never been so important. Users may be accessing systems via their personal device, which in itself is a whole new threat that we won’t get into as that is a session all of its own!

So how does permissions management relate and translate to Security Threats

An insider threat is most simply defined as a security threat that originates from within the organization being attacked or targeted, often an employee or officer of an organization or enterprise. 

An insider threat does not have to be a present employee or stakeholder, but can also be a former employee, board member, or anyone who at one time had access to proprietary or confidential information from within an organization or entity.

Contractors, business associates, and other individuals or third-party entities who have knowledge of an organization’s security practices, confidential information, or access to protected networks or databases also fall under the umbrella of being an insider threat. An insider threat may also be described as a threat that cannot be prevented by traditional security measures that focus on preventing access to unauthorized networks from outside the organization or defending against traditional hacking methods.

Internal breaches occur for a variety of reasons. In some cases, individuals use their access to sensitive information for personal or financial gain. In others, insiders have aligned themselves with third parties, such as other organizations or hacking groups, and operate on their behalf to gain access from within the network of trust and share proprietary or sensitive information. Another type of insider threat is often referred to as a Logic Bomb. In this instance, malicious software is left running on computer systems by former employees, which can cause problems ranging from a mild annoyance to complete disaster.

Internal breaches can be intentional or unintentional, and the term can also refer to an individual who gains insider access using false credentials but who is not a true employee or officer of the organization. Many of these breaches go un-noticed or unreported. They are harder to detect than an external attack for a number of reasons.

Users require access to critical systems and data to enable them to perform their role. In general there are no internal security measures in place to prevent access to critical data because most companies do not have solutions in place to see exactly who has access to what how are they supposed to manage this. After all, you can’t manage what you can’t see and because of this, a breach may have occurred long before it was detected.

Dangerous Access Rights such as orphaned User accounts and obsolete or wrongly set access rights open the floodgates for unauthorised access to critical data. Companies face greater organisational and technical challenges when trying to fulfil compliance regulations such as GDPR and inefficient use of IT resources that are scare and precious are often spent on the manual management of access rights instead of being invested elsewhere.

Even the U.S. Government is subject to insider threats, and this can be particularly dangerous to the nation’s security. In fact, the National Counterintelligence and Security Centre points out that, “Over the past century, the most damaging U.S. counterintelligence failures were perpetrated by a trusted insider with ulterior motives.”

Often, warning signs are present but may go unreported for years because colleagues of these individuals are unwilling or hesitant to accept the idea that a trusted co-worker could be engaged in treasonous acts. Insiders convicted of espionage have often been active for years prior to being caught, leading to incomprehensible security risks within the country.

These same scenarios are present when insider threats occur within private enterprises and organizations. Businesses are built on teams and require counterparts to trust and support one another, making it difficult for colleagues to acknowledge warning signs and red flags when they are present. This further complicates the challenges that exist in successfully defending against insider threats. Despite these challenges, addressing insider threats to sensitive data is a critical component of any modern security program.

Incident detection time is one of the most important components in the cost of a data breach. It’s especially hard to detect insider-related incidents because actors know exactly where sensitive data is stored and which cybersecurity solutions are implemented. For this reason, some breaches may go undetected for months or even years.

Statistics on time to detect a data breach are different in each report. The Verizon Data Breach Report states that a company needs on average 197 days to identify a breach and 69 days to contain it. 

Overall reports are mixed. Some studies show that most insider attacks are detected within minutes or days. Other research indicates that it takes from several months to years to spot such a violation.

The cost of an insider attack remains high.

The Ponemon Institute 2018 Cost of Insider Threats study shows that the average cost of an insider-related incident is around $513,000 but Insider-related incidents can cost a company up to $8.76 million a year. In North America, this number is even higher — up to $11.1 million a year. Accenture & Ponemon’s 2019 Cost of Cybercrime study provides us with even less optimistic figures. It indicates a substantial increase in the cost of insider threats. The average cost of a malicious insider attack rose 15% from 2018 to 2019.

Sadly, the answer is yes.

It’s cheaper to deploy and maintain a data breach protection solution than to deal with the consequences of a breach. Alongside reputational losses and payments to affected parties, a breached organization has to pay fines for breaking security regulations. For example, not complying with PCI DCC costs from $5,000 to $10,000 per month. If you don’t come into compliance over time, this cost increases. A GDPR violation may cost up to $20 million. And in California, a law similar to GDPR, the California Consumer Privacy Act, came into force in January 2020. Gartner predicts that total IT security spending worldwide will hit $124 billion in 2019. In 2018, it was estimated at $114 billion.

At the same time, a survey shows that C-level officers are becoming more considerate when choosing insider threat protection solutions. It’s important to pick not the most popular solution on the market but the one that fits your company’s needs perfectly.

• There is a high probability that your company will get fined according to applicable data security regulations, even if nobody seems to have been hurt. 
  
• The price of your company’s stock may fall considerably because of the ruined trust in your organization.  
• Your competitors may become aware of your company’s trade secrets and use them to develop new products or enhance existing ones, robbing you of potential profit.
• Your customers may suffer if someone compromises their sensitive information.

So can we 100% eliminate the risks? No, of course we can‘t. But what we can a should be doing is mitigating the risks posed by Insiders that either seek to or unintentionally cause us harm.

Remember, Humans are smart. But we must also remember that not ALL Humans are smart and that‘s what causes some of those breaches. Yes, we need to have policies, systems and procedures and we do need to continually educate are staff. Most of all though, we need to give IT and business users the right tools to lower the risks we have talked about.

• Deploy a Least Privilege Policy
• Data owners must review access rights regularly to ensure these are up-to-date
  
• Regular Reporting
  
• Gaining immediate visibility of changes
  
• Put Ownership of Permissions onto Data Owners 
  
• Traceability
  
• These insider threat statistics show the most common cybersecurity challenges today:
  

• Insider Threats equal to or more dangerous than threats from external sources
  
• The cost and impact of insider attacks and breaches on the business are rising
  
• The longer it takes to detect an attack, the more you’ll have to pay for it
  
• Regular users can cause as much damage as privileged users
  
• Human error is the most common cause of a data breach
  
• Insider threat detection must become the dominant element in a cybersecurity system
  

For more information on how VARChannels can help click the contact button on the Contact Us page.