×
Security

How to Detect Insider Threats in Your ERP System

By Michael Cunningham • November 16, 2020

Insider Threats Are Becoming More Frequent and More Costly to Organizations. Especially Those Using Legacy ERP Systems. Here’s How You Can Proactively Prevent the Risk of Insiders Compromising Data 

While data breaches caused by hacking/phishing/ransomware tend to grab the most headlines, most data security incidents are from trusted insiders with access to sensitive data and systems. Thus, making insider threats one of the most common, yet elusive, risks to manage.

When you hear the term “insider threats,” most people reflexively think about a greedy or disgruntled employee abusing their access for revenge or financial gain. But there’s more to the definition than the angry employee out for revenge. An insider can be a current or former employee, contractor, or business partner with legitimate access to the organization’s network, systems, or data. The insider threat occurs when the insider (user) maliciously or unintentionally misuses their access to negatively affect or harm the business. So assuming all insider threats are disgruntled employees is false – an insider who is unintentionally violating a business policy can inflect plenty of damage.

Why Are Insider Threats So Dangerous to Organizations Using Legacy ERP Systems? 

The number one issue for security teams when it comes to detecting an insider threat is the user in question has authorized access to the ERP system. It’s the malicious intent or individual violation amongst the rest of the legitimate access that makes it difficult to tell the difference between a user’s regular activity and possible malicious activity. What makes them especially dangerous is that insiders usually know how to find and access sensitive data and sometimes have a privileged (or over-privileged) account.  

Insider threats are among the most common causes of data breaches worldwide, and they can often be among the costliest. According to the 2020 Insider Threat Report (Cybersecurity Insiders), 68% of organizations observed that insider attacks have become more frequent over the last 12 months. Moreover, 70% have experienced one or more insider attacks during that same period. Ponemon calculates that the average cost per insider incident is $11.45 million in 2020, increasing by 31% from 2018.  

The increase in attack frequency shouldn’t surprise anyone thanks to the COVID-induced necessity for remote access to ERP systems and data. While security teams were likely focusing their cybersecurity efforts and budgets on securing the perimeter, cybercriminals found new ways to target user accounts with phishing and social-engineering attacks. 

The good news is that organizations using ERP systems can detect and defend against insider threats with a combination of data-centric security measures and monitoring data access and usage.  

Detecting Insider Threats by Monitoring ERP Data Access and Usage 

Detecting an insider threat as quickly as possible is essential to limiting the amount of damage, financial or otherwise, this insider can cause. However, how can you tell the difference between regular activity and harmful activity? With an insider using a legitimate login profile, there aren’t obvious warning signs when malicious behavior takes place.  

Monitoring user behavior around data access and usage can highlight internal access misuse and credential theft. And continuously monitoring for outlier and anomalous behavior patterns provides visibility into how high-privilege users interact with sensitive data. This monitoring helps security teams identify a possible malicious insider or if an external attacker has compromised an employee’s credentials. For example: 

  1. Monitoring user activity during remote access down to the transaction level 
  2. Monitoring data access and usage by users with high privileges 
  3. Monitoring query attempts to download information onto unauthorized devices 
  4. Monitoring exactly who is accessing highly sensitive data fields 

Without advanced analytics and data monitoring, keeping track of every user’s activities after they’ve logged in to the system is a lot of work. In some cases, raw logs from your ERP system need to be manually checked, and each event studied—often after an insider threat has already occurred. No wonder the average time to identify and contain an insider threat incident is 77 days (Ponemon).  

When security teams monitor data access and usage, they can be proactively alerted to potential insider threats by identifying anomalous activity with actionable insights into what was accessed and by whom. Now organizations can quickly respond with a full forensic investigation and a rapid and thorough response. 

Preventing Insider Attacks with Dynamic, Data-Centric Security 

Although security professionals recognize the value of continuously monitoring data access and usage to detect insider threats, companies should also adopt a layered, data-centric security model to improve the likelihood of preventing an insider threat from attacking. 

Enhance Access Controls with Dynamic Authorization Policies 
Organizations should start by incorporating dynamic authorization strategies that use contextually aware access controls. Dynamic authorization gives organizations a way to leverage the contextual attributes of access such as geolocation, time of day, and IP address to better control the resources users access, how they access it, and from where they access it. For example, you can prevent an insider threat who has legitimate credentials from accessing sensitive data because they accessed the ERP system from a foreign IP address and outside of established business hours.  

Expand the Use of Data Masking  
You’re likely already masking the obvious data fields with personal information, like social security numbers, bank account information, national ID number, passport number, driver’s license number, etc. However, now that insider threats are increasing, organizations should expand the use of data masking to all fields that could be considered personally identifiable, giving you greater control over who can see what data and when. And deploying data masking based on dynamic authorization policies, like location, device, and time of day allows a more secure-and flexible-access to data.  

Enable Stepped-Up Multi-Factor User Authentication  
Using stepped-up multi-factor authentication is an important tool for preventing insiders from doing stuff they shouldn’t. When it comes to performing transactions with sensitive information, adding multi-factor at the transaction level as well as the perimeter ensures that users are not only authorized to access and view the data but perform the actual transaction.  

Take A Proactive Approach to Detecting and Preventing Insider Threats 

When it comes to insider threats, most security teams live in a murky gray middle zone struggling to determine the difference between regular user activity and anomalous activity indicating an insider attack. Organizations can help their IT security teams take a clear, proactive approach to detecting and preventing insider threats and attacks by applying a data-centric security approach combined with continuous monitoring of data access and usage. 

Want to see a demonstration of how Appsian can help your organization detect insider threats? Contact us to chat with an Appsian security expert today. 

Stay Updated

Request a Demo