As the enterprise attack surface continues to expand, businesses will need to use multiple defenses to combat digital threats. Career cybercriminals continually change up their methods of seizing control of your data for profit. Staying a step ahead of them is both challenging and critical. 

But these anonymous offenders aren’t the only source of risk. Company insiders may also open you up to a breach, intentionally or by mistake. In fact, about a third of all enterprise cybersecurity incidents in 2021 will stem from insider threats, according to Forrester. That figure represents an 8% increase from 2020 in insider risk. 

What’s Behind This Growth in Insider Threats?

One reason for the growing insider threat is the rapid proliferation of distributed workforces, driven by more than a year of lockdowns. Increasing numbers of employees are now integrating work and personal digital tasks on devices connected to home networks, for example, which may be less secure than the corporate network. 

In mid-2020, 70% of full-time US professionals polled by Owl Labs and Global Workplace Analytics said they worked from home. By 2025, according to a report by Upwork, 36.2 million Americans will likely work remotely, an 87% increase from pre-pandemic levels.

The Internal Threat Landscape

Employees, wherever they’re working, can pose a variety of risks that corporate data protection strategies must address and mitigate:

  • Employees working from home might be on a shared wifi network that has weak security. Hackers exploiting the vulnerability might piggyback onto the connection for unauthorized access to your digital resources. It opens the door for data theft, possibly in the form of a costly ransomware attack. 
  • Rogue administrators with access to sensitive information might steal data to sell for profit on the dark web.
  • Disgruntled employees could use their credentials to sabotage or delete files for revenge. Malicious actors are increasingly approaching employees, offering large sums of money in exchange for credentials or data. 
  • Software administrators might accidentally misconfigure a program, miss an update, or overlook a patch. They could unknowingly create a vulnerability in your company’s defenses.
  • An employee could mistakenly delete critical files.
  • A phishing scam could trick an employee into revealing passwords or other sensitive information. In the scam, someone could pose as a legitimate source via email or a phone call. Any information shared could then be used for nefarious purposes, such as hacking into accounts, stealing other sensitive information, committing identity fraud, or mounting a ransomware attack.

7 Ways to Defend Against Insider Threats 

Preventive measures go a long way toward keeping cyber intrusions and data theft at bay. From a process standpoint, automating software patches and updates helps mitigate human error. 

Continual, updated education about company policy and best practices for security is also essential. It keeps employees in the know about what behaviors are acceptable to the company and prepares them to shut down any social engineering (phishing) attempts at information extortion.

Adopting a zero-trust approach to security is another best practice to consider. Zero trust limits application access to only confirmed-safe users, systems, and processes—preventing bad actors from doing damage. 

In addition, behavior analytics programs can be used to raise alerts on any unusual employee activities. By creating a baseline for each user’s typical behavior, behavior analytics programs make it easier to spot an anomaly and a potential compromise. For example, geolocation tracking establishes an employee’s login patterns—likely from regular office and home locations. If that employee’s login suddenly originates from halfway around the globe, that’s a flag that can be programmed to shut down the connection.

Threat prevention monitoring and other next-generation firewall capabilities have become status quo defenses, as well. They continually analyze traffic flows for anomalous signatures that could indicate the presence of malware or the flooding of host computers to cause a denial of service (DoS) or distributed DoS attack. 

However, all of these defenses must start with education. A well-formed security awareness training program can help teach employees to identify and avoid many of these threats.  

If a Breach Occurs (and It Will)

Despite these best efforts, security experts agree that every company’s number eventually comes up, and a breach will occur. But what matters is how well prepared an organization is to minimize the damage and recover. 

The key is to have the necessary data loss prevention measures and technology in place to render the intrusion a non-event instead of a disaster. An important component of a data protection strategy is backing up data files in a format that can’t be changed after they’re written. In other words, they’re “immutable.” Having a copy of immutable data files provides a safety net in case files are accidentally deleted or intentionally compromised.

For example, internal errors or misconfigurations can open your organization up to a ransomware attack. A successful attack can only be rendered a non-issue with immutable backups. 

In a ransomware attack, a hacker encrypts your files, deletes the originals, and demands payment for the encryption key you’ll need to restore access. Until the ransom is paid, your data is inaccessible to your employees and customers. Ransomware halts business in its tracks—unless, of course, you have immutable data backups that the attacker can’t change or delete. And these backups continue to be accessible to your organization. 

Immutability Alone Isn’t Enough…Immutable Snapshots from Pure Storage

At Pure Storage®, we offer immutable backup capabilities using SafeMode™ snapshots. SafeMode is a feature built into and included with FlashArray™ and FlashBlade® at no extra charge. Just contact our Support team to activate it. We set up secure methods to turn on this feature and authorize a limited number of users from your company to manage or change your SafeMode setup.

SafeMode takes immutability to the next level. It applies an out-of-band, multifactor-authentication layer to immutable snapshots. Ransomware can’t modify, encrypt, or delete these read-only snapshots once they’re written. Even an administrator can’t change them, without following the out-of-band authentication process. Malicious outsiders, malware, and even a rogue insider or admin can’t delete snapshots. 

During a ransomware attack, attempts to delete SafeMode snapshots will fail because they’re locked down. Simply move the data volumes that the attacker has encrypted offline and recover your data using the unchangeable, locked snapshots.  

In 2020, ransomware incidents grew significantly—anywhere from 62% to 900%, depending on the source. But one thing is certain: They’re on the rise and they aren’t going away. Gartner estimates that by 2025, at least 75% of IT organizations will face one or more attacks.

It pays to be prepared. Learn more about Pure SafeMode snapshots