Combating Your Company’s Insider Risk

Regulation Changes are Cause for an Overhaul

New data privacy and cybersecurity regulations, including the NY DFS and the EU GDPR, are causing companies to tighten up on their controls and map their security programs to match the requirements in order to avoid punitive corrective actions and steep fines for violations. To be effective, controls and security solutions must account for the human factor.

It’s a bitter pill to swallow. Given the virulence and ingenuity of headline-grabbing cyber attacks and cybercrime syndicates, it’s hard to internalize the fact that the biggest threat to enterprise data and systems is the everyday employee. This should be alarming to any company that relies on maintaining a trusting relationship with vendors, partners, shareholders and customers while staying out of the crosshairs of regulators.

Every CISO & Risk Management executive fears their company being the next one to capture the headlines because of a breach.  Data breaches are costly — incident response and recovery, crisis communications, legal issues, loss of reputation (for employees and the company), customer attrition and damage to stock price are just the beginning. New data privacy and cybersecurity regulations are causing companies to tighten up on their controls and re-map their current security programs to match the new requirements. To be effective, controls and security solutions must account for the human factor.

Human behavior is the trickiest risk factor to predict, manage and defend against. Even after several years of high-profile breaches, security training and anti-phishing campaigns, end users persist in using weak and compromised passwords, clicking on suspicious links, sharing accounts and using insecure apps and websites. Putting too many restrictions on end users and employees leads to loss of productivity and frustration — which in turn leads to risky workarounds. Not to mention organizations also need to account for employee curiosity which can lead to employees trying to access things that they shouldn’t.

To address the human factor, many companies turn to user and entity behavior analytics (UEBA) solutions. While these solutions can be fantastic and providing greater intelligence on user behavior, they can produce far too many alerts and false positives, further burdening overstressed security teams. We need a smarter approach, and the first step is to better understand the risks that insiders pose to enterprise security.

The results of a recent survey commissioned by Preempt highlight how businesses are exposed by employees with poor security habits and too much access to sensitive resources. Even those employees who identify themselves as responsible users are introducing risk without realizing it.  For instance:

• More than 90 percent of all employees have weak password update practices.
• Nearly 80 percent don’t know or aren’t sure if their username and password have been exposed in a breach.

It isn’t surprising that employees have terrible password habits, but the prevalence of this problem is disconcerting. It’s a red flag that should compel security teams to look more closely at the true depth, breadth, and nature of insider risk.

Bending the Rules is All Too Common

Survey results showed that one-third of employees have bent the rules or figured out a security workaround in order to accomplish a work task. While they may not be acting maliciously, these users are essentially internal hackers poking holes in your systems so they can get their work done faster. Proper security controls should not be so easy to circumvent, and such violations should not go unnoticed.

Curiosity is a Risky Motivator

This may be the scariest. One out of four employees admits to trying to snoop by accessing data at work that they were not supposed to see or did not have privileges to access. Out of the 25 percent who admitted to snooping around, more than half were successful at getting their hands on the restricted data. This could be anything from sensitive HR files and salary information to intellectual property and confidential negotiations. It doesn’t take much imagination to see how this kind of data in the wrong hands can lead to costly and damaging exposure.

Bad Habits are the Rule, Not the Exception

As we already mentioned, nearly all employees use weak passwords and fail to check if they have been compromised in a breach. Any credentials, personal or business, that have been exposed in a public breach put the enterprise at risk (and thanks to Equifax, Yahoo!, and other massive breaches, almost all of us have been affected at some point). It is clear that employees don’t understand how this works; of those who were aware of being compromised, 68 percent only changed their password on the site or app where it was breached; only 37 percent changed that password everywhere they had used it. Moreover, 25 percent of respondents confirmed that in their workplace, multiple employees shared the same account (and password). This bad habit makes it impossible to keep the password secure, makes updating difficult, confuses behavioral analyses and muddles investigations in the event of an incident.

Given the fact that 40 percent of those surveyed confessed to using the same passwords for both work and personal accounts, the widespread lack of awareness about credential compromise and the importance of regular password updates represents a huge vulnerability. Compromised passwords are listed in databases that hackers leverage to execute all kinds of malicious exploits. Of course, illicit databases aren’t the only place to find passwords — 45 percent of those surveyed admit to writing their password down. All too often, sensitive account information ends up on a sticky note in plain view.

Mismatch Between Practice and Perception

Humans operate with a lot of biases, one of which is our tendency to think we are better at following the rules than we really are. Less than 10 percent of respondents rated their personal IT security health and awareness as below average (bottom 25 percent), while a full 40 percent ranked themselves in the top quartile. In light of the actual practices measured in the survey, most of those claiming above average cyber hygiene are overconfident, oblivious or uninformed. This is perhaps the most unsettling finding, and the hardest one to address. When employees don’t understand that their behaviors and routines are putting themselves and their company at risk, there is no reason to think they will change. It also does not bode well for efforts to reduce phishing attacks through training. Employees that are not reliably mindful about security risks will fall into socially engineered traps without realizing it.

How Do You Get a Handle on Human Nature?

Human nature is a force to be reckoned with — from greed to revenge and curiosity to carelessness — and awareness training is a paltry response. In a digitally transformed environment where the network perimeter is porous, identity and behavior should drive access decisions. Binary restrictions (blacklisted or whitelisted, allowed or blocked) aren’t adaptive enough to enable efficient operations and address situational risk. Continuous risk assessments based on identity and behavior allow for more accurate detection of anomalies. Automated, real-time responses to those anomalies mitigate risk by enforcing multi-factor authentication, verifying identity through challenges and sending meaningful alerts.

Specific capabilities like analyzing the quality of passwords, adding Multi-Factor Authentication to any application, and identifying accounts with stealthy admin (also known as shadow admin) privileges can proactively reduce insider risk while allowing users to get their jobs done. Behavior-based solutions that build contextual intelligence over time and integrate with other security solutions empower security teams to enforce policy, fine-tune access controls and defend against threats from multiple angles.

Everyone needs to work smarter and more securely, but we all know it’s not a matter of asking nicely. Strengthening your enterprise security from the inside out without slowing down operations or frustrating your end users is imperative. As the scale of cyber assets and attacks continues to grow, doing it with intelligent, context-sensitive, automated tools is the only sustainable approach. These efforts will go a long way toward protecting your most valuable assets, including your data, your reputation and your trust-based relationships.