Protecting Data From Insider Threats

Sep 20, 2021 | StorCentric

September 2021 marks the third year of National Insider Threat Awareness Month (NITAM), which, according to the NITAM website, aims to help prevent “exploitation of authorized access to cause harm to an organization or its resources.” The acting director of the National Counterintelligence and Security Center, Michael J. Orlando, recently recognized this month of data protection awareness with a letter that stated September should emphasize “the importance of safeguarding our nation by detecting, deterring, and mitigating insider threats.”

Orlando noted that the last year and a half, in particular, has been challenging from the perspective of a rapidly expanding number of threats that have originated not from external cybercriminals, but from within the ranks of the victimized organizations themselves. “The United States has suffered a rising number of incidents perpetrated by trusted insiders who have adversely affected public health and safety, national security, and the economic well-being of the United States,” Orlando’s letter explained.

Insider Threats to Company and Nation

While the month focuses on national security, this issue is, of course, inextricably linked with organizational security, as well. When enterprises think about ransomware attacks, the focus is often on guarding against external threats, of which there are many. Yet companies must remember and be just as prepared to defend against threats from inside their organization.

A big reason for the exacerbation of insider threats over the last 18 months can be traced to the large numbers of employees working from home due to the COVID-19 pandemic. In fact, a global report from the Ponemon Institute on the 2020 Cost of Insider Threats revealed that insider threats escalated nearly 50% over the past two years, and the costs of these incidents have skyrocketed as well, rising from $8.76 million in 2018 to $11.45 million in 2020.

Mistakes and Malice

Not all of these problems come from malicious bad actors within the company; many are simply due to mistakes, miscalculations or misconfigurations on the part of employees and managers. In some cases, insider trouble stems from something as simple as workers not using IT-approved devices, which in turn opens the door to external bad actors.

The Ponemon Institute’s report found that the majority of insider incidents—62%—originated from carelessness or negligence on the part of employees. The report shared that such unintended mistakes come with a high price tag of over $300,000 per incident, while insiders who intend to do harm cost companies even more, at over $871,000 per incident.

For companies to avoid both types of insider threats—accidental as well as intentional—IT must adopt an approach that’s similar to the way they protect against external threats. Organizations must commit to being as rigorously dedicated to employee education, iron-clad security policies and bulletproof technologies as they are when defending against ransomware and other malware. Three words hold the key to achieving this: Protect, detect and recover.

Prioritize Recovery Strategies

Given the high number of insider threats currently occurring, the recovery piece is particularly important. Organizations must assume that some internal threats will occur—but with the right recovery strategy, these threats don’t have to succeed. Two best practices in this arena relate to your backups:

  • Unbreakable Backup. The first part of your recovery strategy should entail having a backup that is essentially “unbreakable.” The ideal solution(s) should include features like file fingerprinting, file redundancy, file serialization, secure time stamp and automatic file repair, as well as the necessary capabilities to ensure regulatory compliance. And importantly, the admin keys should be stored in a separate location for added protection. While an unbreakable backup is ideal to protect against ransomware and external threats, it’s equally valuable for data defense internally. An unbreakable backup is just what it sounds like—the data is “locked down,” so to speak, so the backup can’t be damaged or tampered with and the company need not worry about data loss or downtime should an insider threat be lurking. Malicious actors within the company may target the company’s backups just as ransomware does, so the goal with unbreakable backup is to have a solution that eliminates a company’s concern about the ability to recover its backup.

  • Immutable Backup. Part two of your recovery strategy should incorporate “immutable backups.” As with unbreakable backup, immutable backups are a perfect solution when external threats are the issue—and this type of backup is just as useful to guard against insider threats. The goal here is to give companies a backup target that lets them lock their backups for a predetermined period of time: An “immutable retention period,” if you will. Ideally, this type of solution will integrate with write once, read many (WORM) immutable storage that many cloud providers now offer, which prevent file alteration during a designated time period. The result is immutable backups that no user can delete, even if a bad internal actor gains control of the root credentials.

Insider threats to a company’s key data and resources are as ominous and potentially damaging as anything that external cybercriminals can accomplish. An organization’s security and its very existence can be quickly and easily undone by both trusted employees who make a mistake, and malicious internal players who fraudulently obtain credentials to intentionally do damage.

Corporate defenses should be equal to the level of threat—which means assuming the worst and putting the best solution in place, particularly when it comes to ensuring recovery. By having impenetrable recovery solutions in place for internal threats as well as external ones, organizations can protect their most valuable data assets and ensure the longevity of their business.