Restrict user privileges to reduce the insider threat

Of the many cyber threats facing organisations, the one that should not be overlooked is the “insider threat”.

Defined as “an act of accidental or intentional harm from within the organisation” the insider threat can be missed, simply because of the natural inclination to trust one’s workforce. Training staff to spot the indicators will be helpful but staff must feel confident to report their concerns. Considered controls and policies, combined with proper training, will go a long way to prevent incidents as a result of insider action.

user"User privileges” categorise the level of access staff have to resources within the business network. It follows that the more access, or privileges, that a member of staff has, the more their actions can compromise.

The account with the most privileges will be the “Admin Account”, usually including all system access and control of what is allowed on the network.

Compromise this account and the impact will be catastrophic to the whole business. This makes the “Admin Account” a prime target for cyber criminals.

cyber attack

Any cyber attack must first establish a foothold in systems and resources. Already on the business network, an insider has the access rights required to be successful in their endeavours.

Motivated by job dissatisfaction, disgruntled from being “let go”, subject to an offer from a rival business, political activism or even part of organised crime, the insider abuses their privileges to steal and share information with third parties or for independent advantage.

Removeable media can be used to discretely remove data from the premises; or transfer malware onto the network, including spyware which steals and sends information directly to the adversary.

security breachAlthough malicious attacks do occur, cyber incidents are predominantly caused accidentally. Online tasks (emails, web browsing, etc.) pose a major threat to business because every user will be susceptible to the wiles of the social engineer.

Evermore convincing, phishing emails target all business areas to gain high level access and escalate the threat. Careless use of personal devices and weak security embedded in the Internet of Things (IOT) open other doorways for malware infection.

Let’s not forget, portable devices (including removable media, tablets, phones and laptops) can hold vast amounts of data but are easily lost or stolen.


So, what can be done?

Simply by restricting user privileges into a hierarchy and keeping high privileged access minimal, an incident can be contained:

Identify roles that do not use removable devices and block all external ports (e.g. USB), especially for admin users. For those with removable media requirements, configure ports to only accept what has been issued to the user through strict business protocols and document this in policies.
Install remote tracking, wiping and locking software for all equipment taken off premises. Issue portable equipment sparingly and ensure they have encryption capabilities. Every device must be locked with a password/passcode.
Offer a guest network for personal devices and IOT to eliminate cross contamination with business equipment and contain any threat to the network. Alternatively, restrict use of personal devices to certain times of the day or in specific parts of the premises.
Prevent unauthorised establishment of administration rights by never exposing the admin account online, instead, offer a secondary user account for everyday tasks.
Prohibit online activities that serve no purpose to business objectives (personal emails, shopping, social media, etc.) across the workforce. Outline user behaviour in policies and enforce with technical measures.
Never assume staff leave on good terms. Revoke all privileges upon termination of employment, blocking access to online accounts (particularly email) and change passwords. Without action, unused accounts remain accessible to resentful insiders. Develop off-boarding procedures to maintain due diligence.

Lessen the Impact

Thorough training and security protocols may still enable your best efforts to be subverted but having appropriate controls will thwart unintentional mistakes and unsolicited misuse.

Lessen the impact by giving every employee “least privilege" so procurement of data becomes challenging for the workforce. Only increase privileges on a case-by-case basis.

Make sure training and controls work in harmony for a truly effective cyber security solution against the insider threat.