Insider Threat Prevention Best Practices
An insider threat is an employee, former employee, contractor, business associate or other person within an organization who has access to critical data and IT systems and therefore could cause harm to the business. Insider threats can be managed by policies, procedures and technologies that help prevent privilege misuse or reduce the damage it can cause. These best practices to prevent insider threats will help you minimize the risk of your sensitive data being compromised.
How to minimize the risk of insider threats
- Perform enterprise-wide risk assessments. Know your critical assets, their vulnerabilities and the threats that could affect them. Be sure to include the various risks caused by insider threats. Then prioritize the risks and continuously enhance your IT security infrastructure according to risk priority. For more details, review these IT risk assessment best practices.
- Clearly document and consistently enforce policies and controls. Security software solutions and appliances must each have their own management policy and configuration documentation. Work hard with your HR to create policies about almost every employee interaction with the IT environment. For example, you should establish:
- General data protection regulations
- An incident response policy
- A third-party access policy
- An account management policy
- A user monitoring policy
- A password management policy
All these policies must be verified by your legal department and signed by your CEO. It is very important to document what actions will be taken and what penalties will be applied if a policy is violated and your investigation identifies the culprit.
- Establish physical security in the work environment. Hire a professional security team that will strictly follow your security instructions. They should prevent suspicious people from entering areas with critical IT objects (such as server rooms or rooms with switch racks). Have them inspect everyone at the entrance for IT devices and document everything they find that deviates from the security baseline. Instruct everyone to disable their cell phone cameras while they are in the facility. Don’t forget to lock all server rooms.
- Implement security software and appliances. Deploy and properly configure the following software:
- Active Directory
- Endpoint protection system
- Intrusion prevention system
- Intrusion detection system
- Web filtering solution
- Traffic monitoring software
- Spam filter
- Privileged access management system
- Encryption software
- Password management policy and system with at least two-factor authentication
- Call manager
- Data loss prevention system
Enable mailbox journaling on your Exchange Server, preferably with e-discovery software installed.
- Implement strict password and account management policies and practices. All your users should enter your systems by entering credentials that personalize them; each user should have a unique login ID and password. Follow password best practices and account management best practices in order to implement these policies correctly.
- Monitor and control remote access from all endpoints, including mobile devices. Deploy and properly configure wireless intrusion detection and prevention systems, as well as a mobile data interception system. Regularly review whether employees still require remote access and/or a mobile device. Ensure that all remote access is terminated when an employee leaves the organization.
- Harden network perimeter security. Configure your firewall properly. Blacklist all hosts and ports, and then whitelist only those you need. Configure a DMZ. Do not implement VPN or FTP; ensure that no critical systems interface directly with the internet. Segment the network into VLANs defined by business units to prevent users from freely traversing the network. Establish a baseline of normal network device behavior.
- Enable surveillance. Monitor all critical facilities in your company by video cameras with motion sensors and night vision. Enable session screen-capture technology on all critical servers and devices owned by privileged users.
- Enforce separation of duties and least privilege. Require authorization from two users for copying of data to removable media (also consider requiring that the data be encrypted); require two system administrators to approve the deletion of critical data or changes to configuration. Deploy role-based access controls and configure Group Policy to prevent employees from accessing information or services that are not required for their jobs, and also ensure that employees in administrator roles have separate, unique accounts for their administrative and non-administrative activities.
- Recycle your old hardware and documentation properly. Before discarding or recycling a disk drive, completely erase all information from it and ensure the data is no longer recoverable. Old hard disks and other IT devices that contained critical information should be physically destroyed; assign a specific IT engineer to personally control this process.
- Use a log correlation engine or security information and event management system (SIEM) to log, monitor and audit employee actions. Keep all your device logs for multiple years to enable incident investigation and ensure historical evidence is easily accessible. Implement log management and change auditing software that deliver enterprise-wide visibility. Monitor and document every critical change made to your IT environment; for example, audit permissions regularly to prevent privilege creep.
- Implement secure backup, archiving and recovery processes. Implement and configure file and mailbox archiving. Implement and configure a backup system and create a backup policy that requires a full backup at least every month. Also, establish and test a disaster recovery plan. If part of the backup and recovery process is outsourced, account for the possibility that a malicious insider isemployed by a trusted business partner.
- Identify risky actors and respond promptly to suspicious behavior. Monitor your security systems and respond to suspicious or disruptive behavior according to your incident response policy. Monitor and control remote access to the organization's infrastructure. Configure alerting on all critical systems and events, and ensure the alerts warn you through multiple channels. By implementing user behavior analytics (UBA) technologies, you can spot bad actors more efficiently.
- Define explicit security agreements for any cloud services, especially access restrictions and monitoring capabilities. Cloud service providers extend the organization's network perimeter and introduce new attack opportunities for malicious insiders. Conduct a risk assessment of the data that you plan to outsource to a cloud service provider, especially if it is sensitive data like intellectual property or financial services information. Ensure the service provider poses an acceptable level of risk and meets or exceeds your organization's own security practices. Understand how the service provider’s data security works. Identify and confirm the responsible person for restricting logical and physical access to organizational assets in the cloud. Monitor and control all changes made in the cloud.
- Develop a comprehensive employee termination procedure. Work with HR to develop strong user termination procedure to protect your organization legally and technologically from former employees. Follow user termination best practices.
- Include insider threat awareness in periodic security training for all employees: Train all new employees and contractors in security awareness before giving them access to any computer system. Train and test your employees against social engineering attacks, active-shooter situations and sensitive data left out in the open. For example, perform your own phishing attacks on their mailboxes or make social engineering attacks by phone. Be sure to provide additional training for anyone who doesn't pass these tests. Encourage employees to report security issues and train them on how they can help reduce the insider threat. Consider offering incentives that reward those who follow security best practices. Accept that you cannot eliminate the insider threat completely, and implement an insider threat detection solution.
Learn how Netwrix Auditor helps you quickly identify and investigate suspicious user actions so you can block insider attacks before it’s too late, as well as detect data security threats that might otherwise stay concealed for a long time.