Tips to Combat Insider Threats
By Melody Ann J. Kaufmann
COVID-19 taints every aspect of our society, from daily lifestyle changes such as social distancing and masks to closed schools and remote learning, health screenings at events, and virtual conventions. Organizations of all types faced a sudden influx of remote workers, or had their doors shut completely. Only mission-critical employees staffing crucial infrastructure continued working on premises. Life has been pared down to services maintaining the health and living essentials of a population in lockdown. But nowhere was the impact of COVID-19 felt more heavily than the health care industry upon whose shoulders a desperate world leaned.
Even now as the world tenuously begins the reopening process, the long-term impact of the COVID-19 pandemic is undeniable. Health care faces the challenges of patient care, finding a cure, and developing a vaccine coupled with managing and securing massive amounts of data generated from patient care, health insurance, and billing information as well as data from clinical trials, research, and daily organizational operations.
Yet, there are those seeking to leverage the chaos for personal gain. Phishing e-mails capitalizing on COVID-19 and new strains of cryptolockers in e-mails titled “Letter of Dismissal” join traditional attempts to compromise systems and networks. While health care workers focus on the business of saving lives and solving the pandemic puzzle, ever-present cyber threats are clawing at the gates for entry.
The 2020 Insider Threat Report reveals that 72% of businesses experienced an increase in insider threat attacks over the last 12 months alone. Only 61% of businesses have visibility into privileged accounts on premises and only 22% have visibility into their cloud, indicating a huge threat surface that the “enemy at the gates” mentality doesn’t address.
Damage From Insider Threats
Breaches are caused by more than just external malicious actors; often it’s an accidental action or misdirected employee. Someone with privileged access opening phishing e-mails or following malicious links exposing the system to malware. Stolen employee credentials lead to a third party accessing protected data. Even an overpermissioned employee unintentionally stumbling upon sensitive information counts as a breach.
Bad actors also exist inside the network, whether they are disgruntled or malicious employees deliberately setting out to steal, delete, or alter data or inside agents deliberately leveraging internal connections to access the internal systems. These individuals are data security threats as well as possible vectors for leaking information that could damage your organization’s reputation or even damage systems.
Because avoiding insider threats is impossible, managing them is a delicate balancing act between impact and mitigation cost. Health care deals with stringent requirements due to HIPAA, which outlines specific protective measures to keep patient data private and limits the variety of individuals that have access to that information.
There’s a wide range of punitive measures the Office for Civil Rights can take against organizations failing to comply with HIPAA, including fines up to millions of dollars and/or corrective action plans. Corrective action plans sound innocuous but can result in expensive remediation, exceeding fines due to mandated controls and accelerated timetables for implementation.
Beyond the monetary fines, there is the more nebulous cost to public image and reputation. A health care organization relies upon trust—in their patients feeling they are getting the best care and that their data are going to be appropriately protected.
Countering Insider Threats
Insider threats are daunting and pose serious risk, but steps can be taken to mitigate that risk. One of the easiest is helping good employees make good decisions through a two-pronged approach of training and filtering. End-user security best practices training that includes phishing awareness ensures users understand how to make choices that protect themselves and the organization.
Additionally, a good e-mail filtering system with a built-in antiphishing solution provides a layer of defense between employees and attackers by eliminating well-known phishing threats before they reach inboxes. The best solutions have a crowdsourcing function allowing employees to report phishing e-mails and offer a roll-back for reported e-mails. The duet of training and filtering prevents the good insiders from unwittingly becoming threats and limits information slipping through the cracks.
Fending off willful bad actors requires more technology—specifically, controls preventing them from stealing or altering data and damaging systems. A robust identity governance and administration program offers protections that ensure data security, key among these a fine-grained entitlement management limiting access to specific files and applications coupled with effective access request management that eases the approvals process while affording the approver risk-based visibility regarding requested assets. Risk-based visibility is crucial for proper segregation of duties and appropriate access tracking. This ensures proper logging of high-risk access requests as required by HIPAA.
A user behavior analytics tool provides the intelligence to quickly identify questionable user behavior and stop it in its tracks. Integration of the tool permits crucial monitoring of sensitive data and performs sanity checks on access, verifying that users are accessing the data for legitimate reasons.
Ensuring proper gateway protections are in place is still important but watching out for internal threats must not to be overlooked. By utilizing a multilayered approach, a solid protection can be formed to help manage both internal and external threats. This is especially important in health care, where the stakes are high and internal threats are not purely malicious but can come from even the most well-meaning employee who happens to make a bad decision.
— Melody Ann J. Kaufmann is a security specialist at Saviynt (www.saviynt.com) and has a Master of Science in Information Systems with 20-plus years of diverse technology experience including designing, developing, and implementing applications, systems, and enterprise-level solutions that improve organizational agility. Kaufmann is an information security professional with a passion for cloud security whose expertise covers a range of IT verticals, from health care to higher education.