Insider Threat: Post-Mortem versus Meaningful Prevention

We’ve already talked about how insider threats make up around 20% of all security breaches – and that’s a pretty frightening concept. But it’s not just about keeping your data safe.

An insider threat is personal. An employee you once trusted with the keys to your IT kingdom turns against you. It’s not just a breach on your security – it’s a breach of your trust.

It’s no surprise, then, that much of the news coverage around insider threats is about punishment. Organisations want to see culprits pay for their actions with jail terms, huge fines, and name-and-shame articles. There’s a climate of dealing with insider threats after the fact – when, in truth, it’s too late.

Yes, malicious insiders are routinely being caught. But what difference does that really make when the damage has already been done?

The real impact of an insider threat

In December 2013, a former Citibank employee responded to a poor performance review by deleting the configuration files on 10 of the firms routers. While Citibank had backup routers in place, the sheer volume of traffic being re-routed resulted in congestion that was close to a complete outage.

The impact was huge – using his privileged access, the insider left 110 Citibank branches without voice and data communications. While he was ultimately caught, fined $77,200, and sentenced to a 21-month jail term, there’s no way to undo the outage and its impact on revenue, service, and reputation.

More recently, paper manufacturer Georgia-Pacific was the victim of a large-scale attack after they fired their former systems administrator – but didn’t shut down his privileged access. Across two weeks, the attacker accessed a factory infrastructure, installed his own software, and adjusted industrial control systems to sabotage production.

His punishment was considerable, with a 34-month jail term and damages to repay of more than a million dollars. But, even after spending the next three years in prison, how many disgraced system administrators can repay that sum of money? How likely is Georgia-Pacific to see the damage truly undone – and what about the reputational damage that comes from missed deliveries and disrupted production?

The impact of an insider threat is considerable. And, even with the best investigations, the harshest jail terms, and the biggest fines, there’s no undoing that damage.

How fast can you respond to an insider threat?

The reality is that, while punishment is appealing, we’d all prefer to avoid disruption and damage in the first place. But that takes a level of visibility, accountability, and control that’s just not possible if you’re managing and sharing your privileged passwords manually.

Thycotic Secret Server dramatically increases your visibility by bringing all your privileged accounts together in a single centralised vault. With AES 256-bit encryption and a granular audit trail, you can see every time a password is used and link that to an individual user.

When an employee is fired, you can confidently change access details in the vault without the risk of making it harder for legitimate users to do their jobs. When it’s time for a password to be rotated, let Secret Server bring it to your attention.

So you can move the way you handle the risk of an insider threat from punishment to robust prevention and protection.

Written by