Summit 7 Exec Tells MSPs How To Guard Against Insider Threats
Businesses may leave access paths open and not check to see all the different ways an employee could get into customer data, according to Joy Beland, Summit 7 Systems’ vice president of partner strategy and cybersecurity education.
Insider Threats
MSPs are faced with a wide range of insider threats, either from their own employees, their customers’ employees or contractors—and not knowing how to move quickly to mitigate those threats can present a real danger.
That’s the word from Joy Beland, vice president of partner strategy and cybersecurity education at Summit 7 Systems, a Huntsville, Ala.-based Microsoft Gold partner that provides cybersecurity and compliance solutions to the U.S. Department of Defense.
Beland told MSP attendees of the XChange NexGen 2023 conference, hosted by CRN parent The Channel Company, that insider threats come from a person or a group that in some way has privileged access to information or facilities.
Related: SolarWinds Execs Receive SEC Wells Notice Related To ‘Sunburst’ Cyberattack]
That access could either be intentional or unintentional, Beland said. And while unintentional privileged access must be addressed by security awareness training, it is usually intentional access that is done to abuse, misuse or threaten an organization’s confidentiality or availability of its resources, she said.
“Some of the most harmful areas of insider threat are subversion, which really is fraud, and sabotage and espionage,” she said.
Some people use the term “insider risk” instead of “insider threat,” Beland said.
“If you have a formal program at your organization for insider threat, those formal programs are more often called insider risk programs because the employees don’t like the perception that they themselves are a threat,” she said. “They don’t want you to talk about things that suggest they’re a threat. But that, in fact, is what it really represents.”
It is nearly impossible to be in business more than a couple of years without experiencing some level of insider threat just from employees doing something out of the normal that ends up causing some harm, Beland said.
‘Keys To The Kingdom’
It is important to look for signs an employee is using technology or media that is associated with malicious insider activity, including the things they have access to, Beland said. “MSPs have the keys to the kingdom,” she said. “And so some of the things that we provide to our technicians can have tremendous impact to our business and to our customers’ businesses before and after we terminate them, if we’re not careful. ... Before they even leave, they could disable some of the system logs so you can’t go back and trace what kind of damage they did and hold them accountable for it failing. What if they just turn off the backup because they fully intend to leave and then provide access to that site to somebody that is going to use ransomware?”
Taking Technology Precautions
Businesses also often do not implement the appropriate technology precautions, Beland said. They perhaps leave access paths open, and may not check to see all the different ways an employee could get into customer data. “And as technicians, they know all of those ways,” she said. “So you have to be very careful that you’re checking for those.”
It’s also important to remember that insider threats do not always come from employees, Beland said. “It’s about 1099 contractors as well,” she said. “If you have people that work remotely for you, make sure that in their contract you have a lot of language to cover acceptable use, as well as the ability to technologically cut everything completely off at a minute’s notice.”
There are several things an MSP can do to help mitigate the impact of insider threats, Beland said.
When on-boarding an employee, it is important to discuss different training and other things to help them understand the security of an MSP’s and its customers’ data is taken very seriously, Beland said. “You have to be very consistent in how you dole out consequences for bad behavior,” she said. “You have to be very consistent on the types of violations and what will happen if you violate our company policy.”
Beland made several important points that Rich Crawford, vCIO and cloud solutions specialist at Virginia Beach, Va.-based MSP TCI said are definitely worth adding to an MSP’s operations.
Many of the things Beland talked about are being done internally at TCI already, Crawford told CRN.
“We’re still a small group,” he said. “We’re like family. And you never know when someone’s going to leave the family in a bad spot.”
Crawford said he has seen such issues impact TCI’s customers.
“We know what to do,” he said. “They call us and say, ‘We’re letting this person go right now because something happened. We need to just shut everything down.’ Of course, we’ll do that. A lot of times, we tell clients, ‘When you’re going to let someone go, give us as much of a heads-up as possible. We have a procedure that we go through, but it takes time. So if you tell me as it’s happening, then we’ll do our best effort, but we may not be able to turn everything off.’ But I think it’s a smart idea.”