Managing Insider Risk During the Great Reshuffle

Contributors:

Oliver Rochford, Security Evangelist

Shareth Ben, Vice President, Global Customer Success

Aditya Sundararam, Senior Director, Cyber Threat Analytics

 

We are in the midst of a huge recalibration of the workforce that commentators have dubbed “the great resignation” or “the Great Reshuffle”. 

  • 4.3 million Americans quit their jobs in August, 2021, representing almost 3% of the US workforce, the biggest spike on record. The number rose to 4.4 million in September. 
  • On LinkedIn, job title changes are up 54% year over year, and according to a recent survey 41% of employees are considering leaving their employer or changing careers. 
  • Mid-level employees are most likely to leave, with employees between 30 and 45 years old leading the change. 

Government legislation making vaccinations mandatory is another factor impacting the workforce. 

In many countries, employers are required to enforce these laws, and risk potential retaliation by disgruntled employees. Security leaders must prioritize and evolve their insider threat management programs during these tumultuous times and safeguard their organizations’ transition through the great reshuffle. 

Below we share a few of the insider trends we have observed in the past year.

Flight Risks Usually Announce Themselves

Flight risk is the likelihood that an employee will leave your company, typically for a new opportunity somewhere else. Our analysis of over 300 insider attacks shows that flight risk employees that plan to exit with valuable information typically display a range of tell-tale signs and suspicious behaviors 2 weeks to 2 months before they leave a company, indicating their intent.

Focusing on these flight risk indicators, for example someone forwarding a large amount of old and archived emails, allows us to identify any risk and preempt the loss of confidential and sensitive information.

 

Data Exfiltration via Email Is Still #1, but Cloud Is Catching Up

When we analyzed over 300 insider attacks for our 2020 Insider Threat report, 62% of all insider threat incidents involved data exfiltration. Almost 40% of the incidents exfiltrated sensitive data over email, with cloud storage sites used in just over 20% of all cases.

In 2021, we still see data exfiltration as the most prevalent incident category, with email again the most common vector. But the abuse of the personal cloud storage and email services has increased notably.

  • We have seen employees use personal accounts in cloud collaboration tools such Dropbox, Microsoft Teams, Google Drive, or SharePoint to access corporate files after they leave an organization. 
  • In some cases, the private accounts were originally used for legitimate work to facilitate the sharing of data during WFH and remote work, but still retain the proprietary data after an employee leaves the company.
  • In other cases, corporate cloud accounts were not deprovisioned and still allowed access after employment had ceased.

 

Trust Abuse Is on the Rise

The misuse of privileged accounts has long been a common characteristic of insider attacks, but the days when only high privilege users were a risk are long past. Today’s malicious insiders working remotely and from home and using a mix of private devices and public or shared cloud services have far more implicit trust relationships to abuse. 

Simple business-as-usual privileges and habits that have arisen during the pandemic, such as sharing files externally, using personal devices, or sending emails to private email accounts. have helped businesses and workers stay productive, but have also created opportunities for malicious actors to evade monitoring and find loopholes in policies.

We have seen an increase in incidents of insiders abusing exiting trust relationships and privileges, including:

  • Departing employees not removing sensitive data from private email and data sharing accounts and accessing them in their new job.
  • Copying sensitive files to a private “Bring Your Own” device and not deleting them when departing the company.
  • Creating additional user accounts to use after leaving the company.

 

Collusion Turns Insider Attacks Into a Team Sport

Contractors and employees are often aware that employers are monitoring for insider abuse, and are adopting evasive techniques in response. We have started seeing incidents of collusion, where a malicious actor recruits one or more colleagues to assist in exfiltrating the data. Although an unknowing colleague may become an unwitting accomplice, more typically two or more employees conspire to bypass IT controls and elude monitoring measures. In some  cases entire teams may act together. 

  • A friend on the same team might copy the sensitive data for an insider, who has been flagged as a flight risk and is being monitored.
  • The attacker may ask several colleagues to fetch different files for them, to evade measures to detect data aggregation.
  • A team of colleagues departing to the same new employer but leaving at different times may spread the collection and exfiltration of data over a longer period of time.

 

Lessons Learned for Insider Risk Programs

Some organizations are already developing countermeasures and approaches to minimize the occurrence of and damage from insider risk. Below, we share some of the best practices we have observed in our client base:

  • For some enterprises, insiders taking data with them is so common an occurrence that prosecution is not their first measure. Instead, they will send a legal notice to the ex-employee to return or destroy all data, with a reminder of the penalties if they don’t.
  • We have seen some organizations introduce additional policies and strengthen employment contract language concerning data and intellectual property theft, and making the topic a focus during employee onboarding, in order to deter the exfiltration of data during tenure and departure.
  • Some businesses are including a discussion on what data an employee may have retained access to during the off-boarding exit interview.

 

Minimize Insider Risk Through Rapid Recognition of High-Risk Users 

An effective insider risk program includes user activity monitoring. Securonix uses patented machine learning and behavior analytics to analyze and correlate activity between users, systems, applications, IP addresses, and data. It’s light, nimble, and quick to deploy, and comes with pre-packaged use case content to detect advanced insider and flight risk threats. Securonix can quickly identify suspect accounts by detecting anomalous user behavior as compared to normal baseline patterns and peer behavior activity.

But even with behavioral analytics, it is difficult to find abnormal user behavior. Many users and entities have multiple accounts and may work on different networks, so Securonix gives you the ability to track users across accounts and trace lateral movement and nefarious activity.

 

Detect High-Risk User Behavior

Quickly identify suspect accounts by detecting anomalous user behavior as compared to normal baseline patterns and peer behavior activity.

 

Monitor User Access to Critical Data

Monitor users with privileged access to critical databases, servers, applications, and cloud services to quickly identify if credentials are being compromised or abused.

 

Stop Data Exfiltration

Stop insiders from walking out the door with your intellectual property and sensitive records.

 

Speak to us if you want to learn more about how Securonix can help you safely transition through the Great Reshuffle by minimizing the Insider Risk.