Keep Insider Threats Out: How to Harden IT Systems Against Bad Actors
If you’re like the majority of leaders in small to mid sized manufacturing firms, it’s likely that you think of your employees as your business’s most valuable asset. Without their skills and expertise, you wouldn’t be able to keep your production lines running, your sales pipeline flowing, or the firm’s bookkeeping up to date. However, if they haven’t been properly trained or you don’t have adequate security protocols in place, your employees could also become the source of your company’s greatest cybersecurity vulnerability.
Whether perpetrated maliciously or due to unintentional negligence, insider threat incidents cost manufacturing firms hundreds of million dollars annually. According to the most recent Verizon Insider Threat Report, manufacturing’s insider threat incident rate placed it among the top five most frequently affected industries. And the average business loss caused by an insider incident in the manufacturing and industrial sector topped $10.2 million in 2019.
Indeed, as manufacturing processes become increasingly automated, and information systems become ever more critical to their operations, the potential for internal bad actors to cause catastrophic damage like a ransomware attack has never been greater. Although a disgruntled employee with a grudge against the company and access to administrative credentials can cause devastating financial losses and damage your brand reputation beyond repair, even a well-intentioned but careless worker (or third-party vendor or subcontractor) can do significant harm.
As is the case with many other facets of information security, preparing your business to face internal bad actors can greatly reduce your risks. The most effective insider threat prevention programs are multifaceted, emphasizing employee education alongside technological controls and careful monitoring of your systems. Only by thinking proactively—and seeking to know and understand what your users are doing, and why they are doing it—can you harden your systems to defend against this burgeoning threat.
Here are our top five tips for preventing internal bad actors from harming your manufacturing business:
#1: Understand and follow best practices for managing passwords.
We encourage our clients to adhere to the National Institute of Standards and Technology (NIST)’s guidelines on establishing secure passwords and managing user access to IT resources. The NIST recommends that all passwords be as long as possible, since the more characters there are in any given password, the longer it might take an automated system to guess it. And because passwords that attackers obtain in a data breach are often stored in encrypted form, the longer the password is, the longer it will take those attackers to unscramble it back into usable form. For this reason, employing passphrases—longer combinations of multiple words that are memorable to their user but might not make sense to anyone else—is an excellent idea.
As an IT administrator, you can ensure that any identity management solutions in use in your organization are configured to allow passwords including all characters, capital letters, and spaces, and to accept passwords of the maximum possible length. You can also implement multi-factor authentication, in which users have to present two or more pieces of evidence confirming their identity before being permitted to log onto systems. NIST discourages the use of SMS-based authentication systems; use a one-time password generator application instead.
You can also implement Microsoft Local Administrator Password Solution (LAPS) to protect your user accounts with local administrative privileges. This free tool is available from Microsoft, and automatically resets the local administrative password to something new, unique and complex every day, storing the new value in Active Directory (AD). It’s easy to implement if you understand how AD permissions work, and ensures that only eligible and authorized individuals can see or rest administrative passwords.
Anything you can do to improve your employees’ ability to select secure passwords, change them frequently enough, and refrain from sharing them with others will do more than just protect your business from insider threats. It will also significantly reduce your vulnerability to external bad actors. After all, once cyber criminals gain access to any privileged user account in your environment, there’s little that can stop them from exfiltrating data, compromising systems, or opening a backdoor that will enable future attacks
#2: Establish security guidelines that make sense for your business and discuss them openly and often.
It’s common for members of the sales team to work—and develop relationships—independently. Do they know which sales data belongs to them, and which belongs to the company? It’s vital to discuss this issue early on in their tenure with your firm, and to review it carefully in preparation for their departure.
Similarly, many employees mistakenly consider intellectual property such as product designs or process specifications to belong to the person who developed them. Make sure you outline employees’ legal and ethical obligations to the company at the time they’re hired, and maintain an open and honest dialogue with them throughout the time they work for you.
Be transparent about your efforts to protect the company from insider threats. Though the topic can be an uncomfortable one to discuss, the conversations allow you to share your policies about data use and ownership, and reinforce the message that adherence is importan
#3: Implement technologies that block and/or alert on prohibited or anomalous files movements.
Consider data loss prevention (DLP) software. This is a tool that allows your security team to control which types of files end users can copy, transfer, or delete from endpoint devices. DLP solutions can classify your files according to their level of sensitivity and enforce policies that restrict the movement of certain types of files. This means that you can ensure that the company’s financial data is not shared via Dropbox, for instance. It can also prohibit customer records from being sent by email, or alert an administrator if someone attempts to move trade secrets from a central repository.
In essence, DLP tools allow you to enforce the security guidelines that you’ve set for your business automatically and consistently, at all times and for all users.
#4: Collect and maintain log data on user activities and network traffic.
Whether they’re firewall traffic logs, intrusion detection and/or prevention system logs (IDS/IPS), server and application logs, web proxy logs, or other types of network and user activity data, your company’s logs can provide an ongoing record of nearly everything that goes on in your IT environment. Should an insider do something malicious or damaging to the organization, log data can provide compelling evidence of what’s taken place—evidence that may allow you to identify the problem, and that will stand up in court.
To ensure that you’re collecting this valuable evidence, logging must be enabled for all tools and systems within your environment. In addition, it’s essential that users are logging into IT resources only using their own individual accounts and passwords. If the employees in your company routinely share their credentials with others or access IT resources via ‘general’ or ‘public’ accounts, you’ll lack the means to determine who did what in case of an insider-perpetrated attack.
#5: Keep a sharp eye out for warning signs.
Has one of your employees recently begun working odd hours, accessing critical IT systems after everyone else has gone home for the night? Or has someone been expressing anger, frustration, or disillusionment with the company or their supervisor? Is an employee experiencing health or financial problems? And have they begun using USB drives in an unusual or excessive manner at work? There are many potential indicators of an insider threat issue, but understanding what’s gone wrong often requires knowing your employees well, and creating an organizational culture based on openness and trust.
Simply put, monitoring can be a technical process—collecting logs and examining them for evidence of anomalous behavior—or it can take place informally within inter-employee relationships. The best protection comes from combining both tactics. When technology tools are used in conjunction with employee education and an openly-discussed insider threat prevention program, you’ll have the best chances of defending against this all-too prevalent security issue.
Mitigating the risk that internal bad actors can pose to your business is only one aspect of building resilient IT systems. To learn more about how to prevent and recover from major security events, check out our new eBook, “The Definitive Guide to Recovering from IT System Outages” today.