(Updated on 10/29/2020)
People undertake risky activities every day: Driving a car, skydiving, eating sushi from the gas station. But not every risk is equal, and not every high-risk activity ends in disaster.
Similarly, not every high-risk user on the company network will turn into an actual insider threat. If it was that simple, you could simply eliminate these people from your user base. Instead, smart organizations think in terms of mitigating insider risks in a methodical and prioritized fashion. Since all organizations have resource limitations, and many have significant security resource shortages, prioritizing user and data activity monitoring based on risk is a smart strategy.
Today, we want to take a deeper look at what a high-risk user is and what you can do to effectively protect your organization from accidental and intentional insider threats, while also making it possible for people to do their jobs productively. Let’s jump in!
Common High-Risk User Scenarios
Simply put: Not all insiders are created alike, and some pose a higher risk to your organization. It’s a very good idea to know who your high-risk users are and to develop specific insider threat protection strategies to keep them from harming your organization.
Let’s take a look at some common high-risk user scenarios.
Generally speaking, the more privileges a user has, the higher the risk they pose to your organization. This Crowd Research Partners report found that privileged users posed the biggest security risk at 55% of organizations. An internal user (whether an employee, contractor or partner) may require more privileges than others due to job position or rank. For example, IT personnel tend to have high-level system administration privileges, so they may be able to spy on someone else’s email or level up their own permissions settings. Other users may require access to specific types of highly sensitive data in order to do their jobs. For example, sales will need access to customer prospect lists, and the product team may need access to corporate IP.
In the case of our customer Your World Recruitment Group (YWRG), recruiters who worked for the organization had access to highly sensitive candidate and employment data. This was necessary for them to do their jobs. However, the recruitment industry has high turnover in general, and with employees moving frequently from job to job, data had a tendency to travel in unauthorized ways. So, YWRG partnered with Proofpoint to put a stop to rampant data exfiltration by the organization’s high-risk users.
Now, it’s worth noting here that accidental insider threats are very common. The Verizon DBIR 2019 found that privilege misuse and error by insiders are behind 30% of all breaches. So it’s fair to say that, in many cases, privileged users pose a higher risk to the organization not just because some have nefarious intent, but because we’re all humans and occasionally make mistakes. This is where user education and timely reminders can go a long way toward mitigating risk (more on that in a minute).
Finally, a word on privilege creep. While some users absolutely need higher privileges to do their jobs, it’s also very common for privilege creep to plague organizations. We recommend that you regularly audit privileges at your organization and ensure that the principle of least privilege is applied to all insiders as a best practice.
Some users are high-risk for personal reasons. In other words, some users may be vulnerable, for financial or other reasons, to being compromised by an outsider wanting to manipulate their insider access to exfiltrate data or otherwise harm an organization. This may sound like an outlandish scheme, but it’s all-too-real. In fact, the major Equifax breach is increasingly believed by experts to be an example of a nation-state (likely China or Russia) stealing data in order to identify people who might be vulnerable to being turned into spies.
Here’s another example, from an anecdote in this year’s Verizon DBIR, “A very skilled hacker admitted to the Secret Service that he ended up paying a collusive employee (insider threat) when all of his other hacking attempts to access a foreign bank’s network were unsuccessful.” In other words, these weak links can often be an entry point for the most sophisticated attacks.
One thing that is tricky about this type of high-risk user is that it’s often not easy or even possible to identify who might be a target. However, that doesn’t mean it’s any less of a risk. Below, we’ll talk about why a proactive approach, centered on user and data activity monitoring, is the best way to mitigate the potential risk that this type of user poses.
How to Keep High-Risk Users At Bay
Now that you understand some common examples of high-risk user scenarios that may affect your organization, let’s talk about what to do about it.
Know Your High-Risk Users
Your organization likely doesn’t have time to sort through high volumes of alerts, so it’s a good idea to label your high-risk users. One way to do this is to identify and monitor them based on their roles and the amount of privileges they have. With a dedicated insider threat management platform like Proofpoint Insider Threat Management (ITM), you can identify high-risk users and proactively monitor their activity.
Monitor & Audit Privileges
As we mentioned in the privileged user section above, monitoring and auditing user privileges and permissions on a frequent basis is a useful best practice. Always employ the principle of least privilege when determining who in the organization will have access to which data and systems. Role-based segmentation of access privileges can also be useful, or you may be able to use time-limited access tools that ensure even your privileged users don’t have continuous, open access when they don’t really need it.
User Education: Awareness and Real-Time Reminders
Ponemon’s Cost of an Insider Threat Report found that 64% of insider incidents involved negligence. Mistakes are even more common than intentional insider threats, and for this reason, having a comprehensive security awareness program that has a section on insider threat is a smart choice. Additionally, we recommend using real-time user education tools (like those built into iTM) to remind users when they attempt to take out-of-policy actions. This way, a simple mistake has less of a chance of doing major harm to your organization.
Visibility into User and Data Activity
Finally, it’s key to remember that many types of insider threats are difficult to predict. This is why user and data activity monitoring is so key. There are many common insider threat indicators that can be monitored by the organization to catch insider threats before they evolve into something dangerous.
In particular, organizations should aim to gain visibility into user activities related to:
- Unauthorized cloud storage or large file-sending sites
- Disposable or temporary email clients
- USB storage devices and other removable media
- Copy/pasting, cut/copying, and large print jobs
These are perfect examples of activities that a high-risk user might undertake in order to exfiltrate data or otherwise harm the organization—whether their intentions are innocent (like sending documents to a personal email so they can work from home) or more nefarious.
The Key: Full Context Around User and Data Activity
Finally, it’s important to realize that raw data around insider threat activity can often be hard to parse. Organizations need complete visibility into what happened before, during, and after an incident, so that they can determine what the user was up to and why. With a tool like ITM, these types of investigations take one to two days (versus the typical timeline of many weeks (or even months) using log-based tools and other legacy approaches to insider threats). With full context into user and data activity, organizations can ensure that even high-risk users stand little chance of harming the business.