Two weeks ago, FTSE 100 software company Sage – which provides accounting and payroll software to some 3 million small and medium-sized businesses in 23 countries – reported that a number of its UK customers’ personal details had been accessed without authority “using an internal login”.
The abuse of internal logins is just one example of the insider threat – a real and growing problem that has the potential to affect every single company. Last year, IBM found that 55% of cyber attacks were carried out by insiders alone. This is no surprise, really, when you consider Ponemon Institute’s 2016 Study on the Insecurity of Privileged Users, which showed that:
- 21% of respondents said they unnecessarily have privileged access.
- 74% said that those with privileged user access think they are empowered to access all the information they can within their rights.
- 66% believed that curiosity is one of the triggers for such dangerous behaviour, together with the company’s lack of privileged access management.
- 58% claimed companies assign access rights that exceed what’s required by job roles and their inherent responsibility.
The greater the access, the higher the risk
The Ponemon report shows how individuals with the most access to high-value information assets can be a serious insider risk; not only do they have the power to do real damage, they are also a target for social engineering scams.
Unfortunately, few corporate security strategies focus on the insider threat. Companies overwhelmingly continue to direct security funding to traditional network defences, which cannot prevent the damage caused by insiders.
Controlling who has access to what
Controlling user access within an organisation is an important part of mitigating the insider threat, which is why it is a key requirement of ISO 27001, the international standard for information security management.
The relevant controls in Annex A of ISO 27001 state that organisations should:
- Establish, document and review an access control policy based on business and information security requirements (A.9.1.1); and provide users only with access to the network and network services that they have been authorised to use (A.9.1.2).
- Implement a formal user registration and de-registration process to enable access rights to be assigned (A.9.2.1); restrict and control the allocation and use of privileged access rights (A.9.2.3); control the allocation of secret authentication information through a formal management process (A.9.2.4); regularly review users’ access rights (A.9.2.5); remove access rights upon termination of employment, or adjusted upon change (A.9.2.6).
- Make users accountable for safeguarding their authentication information by requiring them to follow the organisation’s authentication practices (User responsibilities A.9.3).
- Ensure that access to all systems is restricted according to the access control policy (A.9.4.1); that access is protected with secure log-on procedures (A.9.4.2); that password management systems are interactive and ensure quality passwords (A.9.4.3); that the use of programs that can override system and application controls are restricted and tightly controlled (A.9.4.4); and that access to program source code is restricted (A.9.4.5).
Creating your access control policy and supporting your information security system
Controlling who has access to what in your organisation should be part of your wider information security programme.
When creating an ISMS (information security management system), it’s important to document your user access and password policies (as well as other policies and procedures) in order to support it.
Aligned with international information security best practice, the ISO 27001 ISMS Documentation Toolkit contains all the necessary documents to implement an ISO 27001-compliant ISMS, as well as project tools to guide you through the project.
Additional resources to prevent insider threats
To help you understand the threat that insiders can pose and to prevent insiders from threatening your organisation’s security, take a look at these resources:
- Insider Threat – A Guide to Understanding, Detecting, and Defending Against the Enemy from Within – This guide shows how a security culture based on international best practice can help mitigate the insider threat to your security.
- Information Security Staff Awareness E-Learning Course – This course recognises that information security awareness starts at home, and aims to help employees understand the organisation’s information and compliance risks, reducing the organisation’s exposure to security failures.