Zero-Trust Not Enough to Stamp Out Insider Threats
Insider threats continue to be a nuisance for modern businesses. Why? Because they are so difficult to detect. Insiders do, after all, have legitimate access to systems and data.
“This could be an employee, a contract staff, an authorised third party and even a collaborator. Technically this could be anyone in the organisation,” said Resham Ganglani, CEO at Halodata Group, who spoke with CSA following the “Insider Threat Report 2022-Singapore Edition” report that Halodata recently released.
This research identifies several significant developments to insider threats to Singaporean businesses. The report, the first of its kind, evaluates insider threats today and their underlying causes. The analysis was produced in association with SPIRE Research & Consulting, a strategic market intelligence consultant.
Businesses have noticed an increase in this threat ever since the pandemic hit. Resham attributes this to an abrupt shift in employee behaviour thanks to the pandemic. The on-premises setup’s security measures vanished all of a sudden. Everything was cloud-oriented, putting more emphasis on availability and integrity than on confidentiality.
“This provided a platform for harvesting of necessary data for their next jobs or selling it without the usual security visibility and controls due to the change of security perimeter,” he added. “In summary, the pandemic changed the goalposts for security but gave the striker the advantage.”
What Motivates Nefarious Insiders
The outcomes could be disastrous, regardless of the approach and the motivations. We can divide it into two categories – financial and non-financial motives, says Resham.
Since most businesses have their assets in digital form—business plans, intellectual property, human resources data, financial data, etc.—each of these pieces of information has a monetary worth and can be sold for a variety of reasons from a financial standpoint.
While for non-financial reasons, it is typically a disgruntled employee overlooked for promotions, or is not getting along with colleagues, or is just maliciously messing around with the access they have for the thrill of it.
When questioned whether insider threats are equally as harmful as external threats, he responds that an external threat is one that has the intention of intentionally harming someone, typically for financial gain or to create damage. These may be detrimental to the organisation but the harm is frequently vague.
“An insider threat, however, knows the exact value of information they are leaking and how to benefit from it. The exact damage to the organisation is calculated beforehand. It is premeditated when it’s intentional and not accidental,” he explained.
Why Insider Threats are Harder to Deal With
In fact, he emphasised that organisations find it harder to deal with insider threats due to the following reasons:
- Data is consumed differently and is necessary for daily work. Removing access does not make sense.
- Technology is limited. An example would be screen sharing on Microsoft Teams and Zoom. An insider can leak data in that manner. This will be hard to detect.
- Lack of awareness. While we all know about PDPA and data privacy, how many organisations have an insider threat program? Employees do not know what their limits and consequences for data breaches from the inside are. Companies do not make it clear in their processes ad education.
- There are also no whistle-blower policies for insider threats beyond the traditional fraud mechanisms. Methods of detection of criminal activity towards data are not a focus but have the potential for devastating damage to both reputation and business as a whole.
Therefore, he believes that establishing a policy and framework designed to combat insider threats is necessary in order to protect yourself against it. “This starts form the top and across departments – HR, Legal, Risk and Compliance, IT and all business unite must work together. As shown in the survey, many people think it’s a GRC and IT problem. Of course, it’s not, it involves people and work processes!” he said.
Since the cybersecurity concept of “zero-trust” is becoming more and more prevalent, most people would turn to it – since zero-trust at its core assumes that no user is trusted. The majority of responders (between 30 and 40 per cent) do, however, think that zero-trust is inefficient at preventing insider threats. Resham somewhat agrees with them as well.
The idea behind zero-trust went beyond “trust but verify.” Zero-Trust implies constant verification. He did point out that zero-trust does not prevent abuse of access if an insider has already been authenticated and given permission. It also does not prevent the users from getting information and using it to benefit them in an offline situation.
“An example would be leaking pricing to a competitor over a cup of coffee. The user had authorised access and passed all the zero-trust controls in a clean and authorised manner. Zero-Trust is a technology and not always going to stop an authorised insider or third party,” he concludes.
In summary, organisations should constantly monitor their security systems to spot suspicious activity based on real-time detection of anomalies in insider behaviour and transactions. The enterprise threat surface and consequent vulnerabilities continue to expand as complex IT infrastructures are adopted. Therefore, a strong monitoring and analytics system combined with extremely responsive remedial operations can significantly reduce attacks on company networks and assets.