How user access reviews manage insider threats

The threat isn’t always coming from outside an organization. In any organization, big or small, employees are given access to critical information, files, data, and more. It may seem like employees, or internal users, would be the obvious people to trust with these kinds of assets. The organization hired them, HR probably conducted a background check, and for many, accessing certain assets is a requirement of the job. But, when it comes to cybersecurity, the motto remains: trust no one. 

What is an insider threat?

An insider threat is the threat of sensitive, critical assets getting compromised, stolen, or mismanaged by internal users. It can be caused by insiders with malicious intent or can be caused by accident.  According to the Verizon 2021 Data Breach Investigations Report, 17% of data breaches in 2021 were caused by miscellaneous human error. According to the Ponemon Institute 2020 Cost of Insider Threats: Global Study, there were 4,716 insider attacks recorded across the globe, and the cost of an insider incident almost doubled between 2019 and 2020 from $493,093 to $871,686.  Insider accounts have been abused, such as when employees take advantage of their internal access privileges to access restricted information, when attackers compromise accounts to perform malicious acts, or when human error occurs.  No matter the reason, the insider threat needs to be managed, as the possible damage can be as costly as an external attack. While there are many techniques, technologies, and best practices that can mitigate rapidly growing insider threats, user access review is a strong place for many organizations to start. 

What is a user access review?

A user access review is a periodic inventory of access rights to certain networks and systems, and the users who have access permissions into those networks and systems. It looks at who’s accessing what, what level of access they have, and if they have valid reasons for access rights. If an organization has a super curious employee who found a way into the payroll systems and is randomly looking up other employee’s salaries, that’s something an organization needs to know to put a stop to it. Or even if there’s no snooping, an organization needs to know, and stop, if an employee who doesn’t work in accounting accidentally got access to those payroll systems. User access reviews would bring those two scenarios to an organization’s attention. This brings us back to mitigating insider threats. 

How user access reviews can prevent insider threats

Insider attacks often occur because an internal user is able to gain access to a critical asset that they should not have access to. Take the random employee being able to view other’s salaries. There’s no need for that access, and it can cause issues down the road. User access review can prevent that specific scenario, as well as others, like:

• Privilege Abuse. Sometimes employees are given too much access, and they can take advantage of that  – whether maliciously or unintentionally. The secretary in the accounting department of a hospital doesn’t need access to private patient records, just as an ER doctor probably doesn’t need access to hospital branding files. Only give employees access to what they minimally need to achieve a job function. 
• Access Creep. If access rights aren’t regularly checked, an employee can accumulate access to assets they no longer need. If that secretary in accounting moves to a different department, they no longer need access to the assets of their former department. If an employee needed access to a critical asset for a one-month project, they shouldn’t still have access a year later. But if access isn’t regularly checked, the sheer amount of access any one employee has can creep higher and higher, increasing the insider threat risk alongside it.
• Termination Gap: If an employee leaves on bad terms, they may want to use the information or access they have to harm an organization. With a robust user access review system, an organization can ensure that access rights are removed at the time of termination, preventing the so-called “gap” from ever occurring. In addition, user access reviews also serve as a fail-safe, ensuring the following controls (which need to be implemented for robust critical access governance) are properly implemented/managed.
• Role-based access control. Role-based control limits access based on the scope of a job role and function. If someone doesn’t need access to a critical asset to do their job, then they shouldn’t have access, period. Leveraging HR systems to ensure that users only have access to what they need is crucial for protecting against insider threats, especially considering how high the human error percentage is. If any employee opened an asset they didn’t even realize they had access to and messed something up, the consequences are costly. 
• Automatic provisioning and de-provisioning of access.  Whether an internal user moves roles, move function, or just leaves an organization, leveraging automatic commissioning and decommissioning of access rights prevents human error, prevents access creep, and removes the burden of having to check employee access manually. Often, software can connect with HR systems and assign or unassign access based on any number of criteria. 
• Temporary, or time-based access. Similar to only allowing access based on a job role or function, temporary access only grants access for a limited period of time. Whether it’s a set time like “this user can access this asset for ten minutes,” or schedule dependent, such as, “This asset can only be accessed between 2 p.m. and 5 p.m.”, these kinds of limiting controls can prevent internal users from accessing what they shouldn’t. These boundaries also allow an organization to spot irregularities with ease during regular access reviews.

The best way to stop an insider attack is to prevent one from happening in the first place. By employing aspects of Zero Trust and the principle of least privilege and pairing those with a thorough user access review system - like SecureLink Access Intelligence -- insider threats can be thwarted before they even occur.  Learn more about how to better utilize user access review and protect against insider threats here.