When Corporate Insiders Become Hackers, Protect Your Data First


By Matt Lock, Technical Director

Organisations are boosting defenses to keep attackers at bay. However, what if your biggest threat is not a shadowy hacking collective, but rather the employees you work with every day?

Almost any insider can become an entry-level hacker. An insider who is comfortable with technology and seeks to do harm will find the hacking tools and how-tos they need online. Newly minted Script kiddies can harvest login credentials from a work computer with Mimikatz or crack passwords with John the Ripper.

IT fluent insiders can use PowerShell to gain access to privileged user accounts. Since PowerShell uses native network administration tools and does not rely on malware, firewall and typical EDR solutions can miss it. If a company is not watching the network for unusual activity and access, insiders will be able to escalate attacks and grab the information they want.

Insiders are catching on to the fact that their actions on the network may be monitored. To avoid raising alarms, they will move carefully by leveraging a service account or spinning out temporary accounts to gain access to protected data or emails. After they steal data, they will cover their tracks by deleting dummy accounts, marking emails unread, and changing access controls or accounts back to their original settings.

To make matters worse, many companies give insiders far more access than they need to do their jobs. External attackers must gain a foothold on a network to escalate an attack, but insiders often have all the access required to steal critical business information.

For our 2019 Data Risk Report, we analyzed 785 Data Risk Assessments and over 54 billion files. We found 53% of companies had over 1,000 sensitive files open to every employee. This includes data on employees and customers under the GDPR that could result in substantial fines should a breach occur.

Other findings were equally sobering:

  • Every employee, on average, can access 17 million files.
  • Over one in five (22%) of all folders were accessible, on average, to every employee.
  • 38% of users had passwords that never expire (up from 10% from our 2018 report).
  • Six in 10 companies had over 1,000 enabled, but stale, "ghost" users - accounts belonging to former employees that can still access the network.

When data is left wide open, companies lose. Organisations that fail to update global access groups, remove stale user accounts, delete or archive old data, and skip monitoring who has access to what information are vulnerable to attack. It only takes one rogue insider to produce devastating consequences.

Data-centric technology is helping to tip the scales in the defender's favor by monitoring employee activities, watching what information they touch, and alerting to suspicious activity that fits the pattern of insider threats. When the right access controls and monitoring are in place, you will be better equipped to stop insiders in their tracks.

Sustaining Partners