With great power comes great responsibility. But what happens when that power falls into the hands of an untrained or disgruntled employee?
That’s the world we live in today. An IT intern with enough access could easily get a CIO or CISO fired. A jaded super admin could legitimately bring down an entire company. An employee without training could share a document costing an organization millions.
This isn’t hyperbole either. Incidents like these happen all the time.
Insider threats, as they’re often called, are attacks, breaches, or exposures that come from within. And unfortunately, preventing these threats has proven difficult. The vast majority of organizations (74%) feel vulnerable to insider threats, while 56% of security professionals say insider threats have become more frequent in the last 12 months, according to a 2016 Insider Threat Report.
The statistics show how exposed organizations truly are. Employees account for 43% of data breaches, according to Intel, and half of these incidents are accidents. What’s more, one in four IT security staff abuse admin rights.
Should you find yourself facing a disgruntled admin or a mistake-prone employee, you’ll want to operate from a position of strength instead of vulnerability.
One of the best ways to mitigate insider threats is to learn from real examples. From there, you can take actions to prevent similar insider threats you may experience.
Threat #1: Employee Accidentally Shares File outside the Organization
Today’s technology makes collaboration and sharing easy. Alternatively, it makes security and management difficult. Data bounces from cloud to cloud and within minutes can go from under IT’s control to existing in several servers around the world.
In early 2017, Boeing disclosed a breach involving personal information for 36,000 employees. The cause? An employee forwarded a document to his spouse. That’s it.
The Consequences: Boeing took a huge reputation hit. The company purchased fraud protection for all 36,000 employees whose data was leaked. This likely cost the company millions.
Using BetterCloud, you can locate publicly shared files and immediately revert their sharing settings to improve security.
Find and disable public file sharing on exposed Slack files.
Admins can use BetterCloud Alerts to trigger a series of automated actions, which we call Workflows. When these two features work in tandem, they create powerful, hands-off automated security policies that monitor your SaaS environment even while you sleep.
Create a BetterCloud Workflow that automatically enforces a “no public file sharing” Slack security policy.
Threat #2: Admin Breaches Employee Privacy by Accessing a File Without Authorization
In 2016, a SaskPower employee accessed the personal information of more than 4,000 past and present employees. SaskPower rightfully reported the incident as a privacy breach to the Saskatchewan Information and Privacy Commissioner.
Even though employee data wasn’t shared outside the organization (according to the employee), it was still accessed inappropriately, and thus, required disclosure to authorities. This begs the question: Why did the employee have the ability to access these files in the first place?
The Consequences: Despite never sharing the data online, SaskPower disclosed the privacy breach to local authorities and employees. The privacy breach led to negative headlines for weeks. The company underwent an extensive investigation, amended its code of conduct, and implemented new policies and training.
With BetterCloud, IT teams can create hyper-specific roles that limit permissions employees have to view and edit all types of data. This greatly reduces the likelihood of an insider attack. In the case below, an admin is granted privileges to manage just Dropbox. What’s more, if necessary, you actually wouldn’t even need to give this person an administrative role in the native Dropbox admin console. Instead, he can work as an admin exclusively through BetterCloud, where you view his actions in the context of a centralized audit log.
Create a role specific to the admin’s job, giving them access to what they need and nothing more.
Still, even with admin roles in place, you’ll likely want to keep an eye on what these admins are actually doing. If you suspect any suspicious behavior, you can export audit logs to view all actions taken within the platform.
Report on all admin activity with easy-to-export audit logs.
Threat #3: Terminated Admin Sabotages Entire IT Infrastructure via VPN
A disgruntled former IT admin for Georgia-Pacific, a paper manufacturer that employs roughly 350,000 people, wreaked havoc in 2014 by using a VPN to access company servers. The admin installed his own software and proceeded to cause an estimated $1.1 million in damage.
He’s currently serving 34 months in jail.
For a company as large as Georgia-Pacific, you could make the argument that the damage was relatively minor. It could have been much worse.
The Consequences: Georgia-Pacific gets caught up in a multi-year criminal investigation while suffering an estimated $1.1 million in damage. The incident occured in early 2014. A court decision was announced in February 2017, a full three years after the employee wreaked havoc.
With BetterCloud, you can configured orchestrated offboarding processes that automate tasks with a great degree of complexity. In seconds, an employee’s access can be completely revoked.
Create an orchestrated offboarding workflow specific to admins.
Threat #4: Volatile Admin Creates Extra Admin Account to Sabotage Company Prior to Being Fired
Lucchese Bootmaker, a small El Paso bootmaker, got hit with administrator sabotage, but this time, it was planned in advance. In 2016, an ex-admin used excessive privileges to create a new admin account with full access to vital systems. From there, he emailed himself important usernames and passwords, which he subsequently used to cut off access for other IT admins once he’d been fired.
He’s in jail for 18 months and was ordered to repay more than $57,000 in restitution.
The Consequences: A family-owned company resorts to calling in the FBI. The company loses potentially hundreds of thousands of dollars in revenue and spends excessive time and money on a suddenly vital and long-term distraction.
With BetterCloud, you can configure Alerts to ensure admins aren’t added to applications without your knowledge. Alternatively, you can configure Alerts in case a rogue admin decides to start removing admins. Today, this alert is available for Dropbox, G Suite, Salesforce, Slack, and Zendesk.
Create Alerts to notify your team whenever new admins are added.
In fact, you can immediately revoke admin rights should an admin be added without your consent. This can happen via an insider threat, malicious hack, or simply by accidentally granting a user too much access.
Create an automated security policy that revokes admin rights for new and unwanted admins.
Threat #5: Admin Makes G Suite Configuration Error Exposing Private Meeting Details for Fortune 100 Company
Recently, we highlighted how a small Google Groups misconfiguration exposed personally identifiable information (PII) of employees at hundreds of companies.
Another similar incident in 2007 publicly exposed McKinsey & Co.’s Google Calendar information. Employees accidentally shared calendar information publicly, revealing the names, emails, call-in information, and additional details for recurring internal meetings. Additionally, companies like Deloitte and JPMorgan Chase & Co. also saw this information exposed publicly.
At companies like these, employees shouldn’t have even had the option to publicly share their Google Calendar.
The Consequences: Several billion dollar companies were publicly lambasted by analysts and columnists. Additionally, private meeting details and personal information were leaked to the public. Unfortunately, mistakes like these fall on the shoulders of IT and security teams.
There are far too many admin settings to manually ensure they are always properly configured. Larger organizations with multiple admins are particularly vulnerable to an uncaught admin error.
Create an alert for specific, yet important settings, such as risky “Anyone can view” or “Anyone can join” Google Group settings.
Our recent blog post on this topic is a must-read if you’d like to learn more about how to audit and secure your Google Groups.
Configure an automated policy to automatically revert misconfigured settings.
Insider threats are far from trivial. The BetterCloud platform is built with this in mind to help you detect and remediate threats immediately. Interested in learning more? Check out our product page for more details.