How to stop malicious or accidental privileged insider attacks

Keeping an eye on insider threats

With many office employees working outside the traditional perimeter and adjusting to new processes during the COVID-19 pandemic, companies have started paying closer attention to insider risks and threats. Compounding this, a 2022 Code42 data exposure report showed 55% of companies are concerned employees will be lax with new hybrid cybersecurity practices.

Keeping an eye on employees and monitoring their behavior was easier when they were on the corporate network and physically in an office. That's not as easy with employees at home -- especially if a corporate VPN or other safeguards aren't present.

The pandemic also ushered in the "Great Resignation," which saw millions of Americans switching or leaving their jobs. This compounded the insider threat posed by departing employees. In fact, a 2022 Beyond Identity survey found 83% of respondents continued to access a previous employer's accounts. Of those who still had access, 56% said they used it to harm their former employer; 25% said they took client information; and 24% said they took company financial information.

The past two years also saw a number of mergers and acquisitions, another area ripe for insider attacks and threats. "Often it's insider trading because people get access to information they shouldn't have during this period," said Jack Poller, an analyst at Enterprise Strategy Group (ESG), a division of TechTarget.

The danger of privileged insider attacks

Unsurprisingly, the more access to company servers and data an employee has, the bigger the risk of an insider threat. A privileged user has permissions with specialized or administrative functions and can often directly access and/or make changes to sensitive or critical systems.

One issue here is that not all users with privileged access should have it. Sometimes regular users receive additional permissions for short-term projects that don't get revoked after project completion. IT could also misconfigure user profiles, allowing regular users to access unrelated but business-critical data.

It's important to also note that not all privileged insider attacks are malicious. The 2021 Forrester Analytics Business Technographics Security Survey found 65% of internal incidents were negligent. These incidents aren't actively malicious but leave business data exposed -- for example, an employee who saves or misuses data against company policy.

"If you're a sys admin, you could shut down the wrong machines or destroy the wrong VMs," Poller said. "Say you were on host 1 and thought you were on host 10. So, you do a disk shutdown and accidentally delete an entire company's infrastructure just by being on the wrong machine and typing the wrong command line."

One of the reasons privileged insider attacks are often missed is because insiders typically don't have to hack into company systems to gain access to information.

"Vendors have told me, 'We can tell when [an attacker] is using Kali Linux or firing up Metasploit,' etc.," said Jonathan Care, an analyst at Gartner. "That's great, but the privileged insider doesn't need to hack or elevate their privileges."

How to prevent privileged insider attacks

There are multiple ways to keep privileged insider threats at bay. First and foremost, always follow the principle of least privilege access to reduce threats. Limit employees' access to only the applications, data and systems needed to complete their job.

Audit all the roles in an organization's system and their privileges. Then, determine appropriate workflows and create a baseline of activities to better identify anomalous privileges and users with excessive rights. Care suggested paying extra attention to domain admins, sys admins, root users and database admins. Also include positions such as invoicing admins, who often have the power to create new payroll entries, invoices and suppliers in the system.

Companies should also implement policies and procedures around privileges, especially when it comes to onboarding and offboarding. If an employee leaves the company, for example, immediately cut off access rights and ensure they didn't create any new admin accounts. Also make it a policy to review employees' privileges after they change roles. Set and follow policies and procedures to ensure uniform treatment of employees. Inconsistency could cause issues down the line, said Joseph Blankenship, analyst at Forrester Research. Don't let one user off with a warning while terminating another for the same thing, he said.

Once policies and procedures are in place, consider a security monitoring platform that monitors how employees use data and whether their actions violate policies. Flag behavior and determine whether an incident was an accident or the start of malicious activity. Also investigate from a user behavior perspective, Blankenship said. "Typically, an insider will have a tell or motivation that may indicate the person is risky. One of the biggest is if they have given their notice," he said.

Should security monitoring be implemented, inform employees -- don't monitor in secret. Making employees aware of monitoring often is enough to deter insider attacks.

"Tell everybody, 'We're using these tools because we care about our customers' data,'" Care said. But don't tie security monitoring to productivity monitoring. Security teams shouldn't have that task, and it can ruin employee experience and trust by overmonitoring and being intrusive.

Finally, educate employees on the importance of policies and procedures. Conduct security awareness trainings throughout the year to ensure employees remember -- but make them short, "bite-sized" sessions, Care said, because yearly training sessions that cover everything usually aren't effective.