Our session then moved on to uncover the recent news that a woman in Florida, who had just been fired, deleted vast amounts of files causing enormous internal damage to the company. In the few hours between getting fired and being escorted out of the building, other employees witnessed the woman repeatedly hitting the delete key on anything she could find. It ended up costing the company more than $100,000 to remediate and recover as many of the documents as possible.
Often, we speak about third-party threats and the importance of tying those into an organization’s risk methodology and approach, but how do we deal with insiders? Well, the insider threat is, unfortunately something that will never go away. Users need to have access to things in order to do their jobs and for the business to function. There is always the risk that someone will do something to compromise business activities, even if by accident. Instead of dropping coffee, you might accidentally drop all the tables in the SQL database, but the impact is potentially much, much higher.
Companies can utilize ‘user monitoring’ functions that come with things like Endpoint Detection and Response (EDR) products. This is all about understanding what users actually do on a day-to-day basis and putting in blocks when things are out of step with the expected norm. This is obviously great, but requires fairly significant investment in, firstly, the EDR product itself and then tailoring it to accurately reflect what’s in use within your network. But then you will have a baseline control, enforcing least privilege across the whole network so that not everyone has access to everything that everybody uses. You have gates in place that limit the potential damage, so even if somebody does accidentally do something, they can’t cause business-wide impact.