3 ways to protect against insider threats
- By Jim Hansen
- Jul 29, 2019
The cybersecurity landscape is ever changing, but one thing that has remained consistent over the past few years is the steady increase in the number of insider threats. In SolarWinds’ most recent federal cybersecurity survey, 56% of respondents listed careless or untrained workers as their top challenge. That’s up from 42% just a few years ago.
Hackers understand that human beings make mistakes. They accidentally click on email messages from suspicious sources. Maybe they forget to change network permissions after IT staff members leave, or they could simply be too lazy to change the default “Password00” on their systems.
Respondents also said they believe contractors and temporary workers are the most susceptible targets. In fact, 51% of those surveyed said IT security risks are greater with contractors.
Here are three ways public-sector IT professionals can bolster their defenses against careless insider threats.
1. Institute better oversight of contractor access
Early in my career, I was a professional services consultant for a software company. When a customer bought our software, my job was to deploy the application and integrate it with the client's business systems. In one particular case, I was given full domain-level admin privileges and remote VPN access to the customer’s environment. Six months after I completed the engagement, out of curiosity, I tried logging back onto the company’s network. Guess what? I was able to get in. The administrator never changed my access privileges after I left. Fortunately, I was not a hacker. I called company officials to alert them to the situation, and they shut down my access.
Although this event took place many years ago, it illustrates the issue. As integral as contractors are to an agency’s success, they are often left to their own devices or even, to some extent, forgotten. They’re not treated like agency employees, even if they have the same access to information. This makes them a primary target for hackers.
Instituting better security oversight of contractors is the agency's responsibility. Contractors should be treated like any other employee; they must have a firm grasp on the agency’s security policies and be held to the same standards of accountability as full-time employees.
Likewise, managers must ensure that access rights and privileges are granted only to those contractors who need them. Automating this process can help with assigning user authentications and permissions and ensuring that only the right contractors have the right access to the right data. And, of course, agencies must shut down those permissions once the contractor leaves.
2. Implement continuous training on best practices and government mandates
Continuous security training is enormously important for both contractors and full-time employees. All users must understand how to discern a phishing email from a legitimate message, for example, and they must always be vigilant to potential threats. This goes for everyone in the organization, from management on down, because security should not just be the responsibility of the IT team.
Agencies should consider implementing frequent, short training sessions to inform users about the latest threats, updated security protocols or government security mandates. These should happen monthly, at minimum. At the very least, they can serve as reminders that the threats are real and can help employees maintain awareness.
3. Deploy tools to manage and reinforce security
No matter how much training is provided, it’s inevitable that some attacker will get through. When that happens, a technology security net can be an agency’s best friend.
Beyond implementing basic access controls and network management solutions, agencies should consider automated monitoring of user activity, which can quickly alert managers to suspicious activity. For example, someone logging in from halfway around the world using a D.C.-based employee’s credentials would trigger a warning that the user’s login information may have been compromised. The system can automatically revoke that user’s access and alert the IT team to determine the appropriate next steps.
IT managers can also use systems that provide updated cyberthreat intelligence to help them monitor for known, unknown and emerging threats. With this intelligence, they can remain informed on the latest malware, viruses and other malicious activities that agency employees could inadvertently expose themselves to.
It’s important to remember that most contractors and full-time employees are simply trying to get through the day and do their jobs well. But they need to be aware of what they can do to keep their agencies’ data safe and protect themselves from becoming virtual puppets of enterprising hackers.
There is hope. On average, survey respondents rated their IT security training efforts as “acceptable,” while 40% rated them “better than average” or “superior.” Clearly, government IT professionals feel confident that, despite the rising threats, they are on the right path. They just need to continue focusing on those insider challenges that threaten to derail their efforts.
Jim Hansen is VP of products, security and application management at SolarWinds.