As we head into 2020, while it’s likely commonly acknowledged that every organization must take steps to mitigate risk, very few are prepared for threats that come from inside the organization itself. Security risks that arise from a company’s own employees, contractors, vendors or end-users that can be deliberate, malicious or negligent often are the reason a “vast majority (91%) of the 500 IT and security professionals surveyed said they feel vulnerable to insider threats, whether their acts are malicious or accidental.” – according to a Better Cloud report.
It could range from something as simple as an employee clicking on a link in a phishing email using their company laptop to something as malicious as employees collaborating with cybercriminals outside the organization. While organizations may allocate large portions of their budget to reducing external risks, insider threats can be a far greater financial threat. According to the Ponemon Institute’s 2018 report, the global cost of insider threats is $8.76 million, and rising.
Almost half of IT professionals surveyed by BetterCloud, a SaaS operations management specialist, consider insider threats to be an issue because of highly interconnected systems, which make vast amounts of sensitive data more accessible. As networks become increasingly complex with a proliferation of data, devices, apps and users accessing resources across information and operational technologies, it becomes difficult for cybersecurity teams to prevent or detect insider threats. Confidential business information and customer databases are most vulnerable according to 40% of the IT professionals in the study. (A fact evidenced by the proliferation of data leaks and security breaches in 2019, particularly from media and financial institutions.) In Verizon’s 2019 Insider Threats report, two-thirds of all data was compromised as a result of negligence;and 90% of companies feel threatened by insider attacks.
What does that mean for mature enterprises today?
Of course, insider threats affect both corporations and government. While government agencies can be ahead of the commercial world when it comes to vetting, screening and monitoring, corporates often devote more attention to cybersecurity for employee activities, access control and monitoring. And a huge opportunity exists for government and commercial to learn from one another’s unique issues.
Typical approaches to managing insider threats, such as awareness training and internal tools used to share information securely have simply not been effective. And a part of the hypothesis that applies here is likely that gaining widescale adoption for any process or practice takes time, effort and training dollars, which in some cases might not have been factored, or even anticipated because so much of the landscape is developing in real-time. Yesterday’s threats are rarely tomorrow’s threat. Adopting an approach of using lagging indicators for risk levels and preparedness (ie: what previous threats have we had; what is common in the industry) might not be enough. Moving the industry forward to a place where are using predictive indicators to establish what’s coming down the insider threat pipeline is the task at hand.
In order to face insider threats head on, it’s time for companies and government agencies to get smarter about where the biggest threats are coming from.
In this following section, we’ve broken down some of the top areas in which insider threats are likely to keep surfacing and would do best to be on all large enterprises’ non-negotiable checklist.
1. Prepare well for employee negligence
With negligence to blame for 64 % of current total cybersecurity incidents, according to Ponemon, negligence and carelessness are the most pervasive and costly insider threat. Inadvertent employees might comply with general policy and regulations and even display non-risky behavior, but can cause breaches due to simple errors such as opening a malicious link or attachment, saving intellectual property on personal or insecure devices, or misconfiguring cloud networks. How prepared are we for this? And what more can we be doing to collaboratively raise the bar of the minimum knowledge levels for safe online behavior in firewalled environments?
Besides common social curiosity behavior (phishing as 27%) that can be managed by limiting access, the Egress Insider data breach survey 2019cited employee error as the most common reason for security breaches, such as accidentally sending data to the wrong person (45%), lack of awareness on confidential data (35%). Employees who are unresponsive to awareness training or act in non-secure ways are more likely to respond to phishing attacks. The Verizon studyfound over 4% of people targeted in any phishing campaign will click the malicious link – and those who have fallen prey to phishing once have a far greater chance of being phished again. This points to an urgent need for employee education around responsibility for data protection. Are we investing the time and thinking needed in taking these frameworks to the next level?
- Understand the risk of disgruntled employees fully and put in place simplified mechanisms to mitigate human error
Disgruntled employees can be one of the costliest insider threats to any organization. A Gartner analysisfound that 29 percent of employees were motivated to steal by financial gains after resigning, involuntary retrenchment or being fired, while 9% were driven by pure sabotage.
Behavioral patterns can vary widely: Some employees may start looking for information without any specific goals in mind, while others might steal data with intent immediately after putting in their notice, with the goal of using intellectual property for personal gain, even with competitors. The danger could even come from the organization’s cybersecurity team. In a study which surveyed 320 IT professionals, one in 10 said they would take as much company information with them as possible before leaving their job. In this environment, understanding employee experience and preparing crisis packages in case things go wrong could be an area for companies to focus on. Are your systems for firing and exit processes clear and automated. Are we as companies practicing emotional intelligence during the process to minimize behavioral risk while backing up with technology?
3. Prepare for layers of risk with criminal insiders
Criminal insiders extract data or act with deliberate or malicious intent for financial gain or some kind of personal reward, such as trading company secrets for a better paying position. The Gartner studyfound that 62 percent of criminal insiders are people seeking a supplemental income, known as ‘second streamers’. That is a large majority who could fall through the cracks in cases where we are not prepared with the systems needed to detect ongoing removal of data and other assets. While just 14% of second streamers were in a senior role and only one third have access to sensitive data, criminal insiders can be fairly sophisticated in their approach, extracting data slowly to avoid detection from traditional network monitoring tools. Are we analyzing our risks of insider threat at different scales?
4. Consider, that while insider collusion is rare, it is costly.
While insiders who collaborate with malicious external players is rare, insider collusion remains a significant threat to every organization as increasingly sophisticated cybercriminals attempt to recruit employees across various channels. These can include state-sponsored agentswho might bribe or blackmail insiders into stealing data. The incidence of insider collusion can take many forms, from fraud to intellectual property theft or a combination of both, according to the Computer Emergency Response Team in the CERT guide to Insider Threats.Insider collusion can take up to four times longer to detect than any other insider threat, and remains one of the most costly breaches that is worth preparing for in any holistic insider threat plan. Are we considering collusion in our insider threat landscape, however unlikely it may seem?
One overarching insight to insider threats that can help us all respond better
Although most companies are aware of the risk of insider threats, we rarely dedicate the resources or executive attention required to solve it until after a breach occurs. Government agencies, meanwhile, might have advanced cybersecurity systems, but neglect other aspects of insider threats.
While there’s no single approach that works when attempting to mitigate insider threats, it’s essential for any organization to understand the human aspect of insider threats and the analytical tools that can help safeguard confidential business information, account information and sensitive personal data against the risk of cybersecurity threats. By monitoring employee activity to detect workplace habits and behavior, organizations have shiftedfrom deterrence to detection. Monitoring user behavior through access logging or automated tools can further help organizations earlier in the journey of maturity to prevent, detect, classify and even notify the cybersecurity team of any irregular behavior.Behavioral analytics can predict risk – assigning risk scores before a security breach has occurred.
While humans are enormously variable, artificial intelligence and behavioral analytics offer the opportunity to detect insider threats more quickly, and thus mitigate risk. While technologies for automated systems powered by artificial intelligence, machine learning and secure digital identities is considered the most practical and error-proof solution today, it’s developing faster and faster.
Other best practices to dot your ‘i’s and cross your ‘t’s
Human error can be combated through different training techniques, providing effective security ‘nets’ and communicating company policy and procedures. In addition, the reason for accidental breaches must be addressed in order to prevent them, such as tired or highly-pressured employees who might be rushing through their work. Ultimately, companies need to continuously upgrade their approach to motivating employees, as well as their systems to evolve to keep up with the rapidly changing world of cybercrime and industry compliance regulations.
As the risk of insider threats makes companies increasingly vulnerable, prevention and detection are more important than ever. According to research by Gartner, of the mere 15% of organizations addressing insider threats today, by 2023, 75% of organizations will transform risk and security governance procedures to address cyber-physical systems (CPS), converged IT, OT, Internet of Things (IoT) and physical security. The goal of the Insider Threats Summit 2019 is to learn in a peer environment, how mature and maturing organizations are protecting sensitive data from insider threats with technological solutions such as artificial intelligence and behavioral analytics, while incorporating more traditional methods of mitigating risk through awareness training and employee satisfaction.
Join us at the Insider Threats Summit 2019(Link: https://bit.ly/2ZrFQ4M) (December 4 – 6 | Washington DC) as thought leaders in the industry, whether private, commercial or government speakers, share the essential strategies, resources and tools they use for proven success.
Spotlight session at Insider Threat Summit 2019
Keeping Human in the World of Technology (December 5, 9:00 am)
Technology has become a significant part in detecting threats, but the human connection and being open carries weight. This session will dive into the importance of maintaining a relationship between security officials and team members in order to relieve tension and gain useful knowledge.
- Relieving employee anxiety with visibility to security teams
- How providing effective training to employees can lead to minimal mistakes
For this and more powerful sessions like it, view our full agenda here(Link: https://bit.ly/2ZrFQ4M). Cyber Defense Media readers receive 10% off using code IT19_CDM.