The Cybersecurity & Infrastructure Security Agency (CISA) defines an insider threat as, “the threat that an insider will use their authorized access, intentionally or unintentionally, to harm the department’s mission, resources, personnel, facilities, information, equipment, networks, or systems.”
All too often, these insider attacks succeed. One in four security incidents are caused by malicious inside actors and can cost nearly $650,000 in remediation every time. By comparison, credential theft only accounts for one in five incidents.
With unknown adversaries underfoot, how are companies supposed to put up adequate defenses? And how can an organization set up safeguards while still maintaining a culture of internal trust and tact? While there are countless answers, streamlining the issue down to five salient points can help overwhelmed practitioners realize how manageable insider threat prevention can be.
Types of Insider Threats
CISA notes, “Insider threats manifest in various ways: violence, espionage, sabotage, theft, and cyber acts.” To that, one can add a few specifics:
- Accidentally clicking a phishing link
- The errors that come from employees not following (or knowing) security best practices
- A malicious insider who abuses access privileges to steal and sell company data
- A disgruntled employee out for financial gain
- An unwitting partner, contractor, or supply chain vendor who fails to follow compliance policies
In the 2022 Verizon Data Breach Investigations Report, insider threats are nested under Privilege Misuse. It reads, “This pattern [of Privilege Misuse] is almost entirely insiders using their access maliciously to cause breaches. While Financial is still the leading motive, Espionage, Convenience and just plain Grudges are still represented. Personal data remains the most common data type for these breaches, but Medical data continues to be sought. These actors are …stealing Personal data because it is easy to monetize.”
Insider threats are predictable and preventable, whatever the reason, and whatever the method. There are certain tell-tale signs of innocuous bad and definite ways to stop it.
How to Stop Them
Here are five ways a modern enterprise can tackle the problem of insider threats.
- Removed “unforced errors” | In tennis, an unforced error is a mistake on the part of the player. It’s a point against them for something they did themselves, not that their opponent did against them, and it results in a deduction that otherwise did not need to happen. In the case of insider threats, most risks are carried by careless users – not nefarious ones. In the last 12 months, more than half (56%) of all insider threat cases were caused by negligence, yet – malicious or not – managed to cost companies an average of $500,000 per incident. Raising the level of security awareness will bring these numbers down and lessen one of the major points of internal problems.
- Know the signs | When your team knows the red flags of an insider attack, you turn unwitting bystanders into trained security assets. Some giveaways include:
- Logins at odd hours
- Accessing non-job-related information
- Downloading unusually large amounts of data
- Taking data onto personal devices
- Creating unauthorized accounts
- Invest in a data security program | A data risk management solution “helps businesses detect, investigate, and respond to insider threats to their data.” However, not all supporting solutions are created equal. Some will only alert you to risky behavior, while others go the extra mile and take proactive steps to prevent unauthorized access across email, the cloud, and removable storage. Find a tool that provides you with context about what type of data a user is interacting with, so you avoid false positives and optimize your risk hunting.
- Lean on behavioral-driven technology | This can tell you quickly if there’s been a spike in unusual activity around a certain asset or a certain time. Using AI-driven solutions to spot anomalies helps ensure that the policies put in place are adhered to, and that any deviant patterns stand out. Although insiders have the advantage of knowing the workflows, times, and systems, eventually nefarious actions are going to differ from the norm and that’s when behavioral-based platforms come into play.
- Vet your partners and supply chain | The realm of “insider” far exceeds what it did even ten years ago. More companies than ever now engage international partners, far-flung contractors, and lengthening supply chains. As each interaction is given even a little bit of trusted access, those privileges – and the people behind them – need to be subject to the same scrutiny and policies as those in-house.
The more knowledge InfoSec teams glean around the simplicity of internal risk management, the more empowered they will feel to take those steps on their own and bolster their own internal security posture.
Internal risks will always be out there, so long as humans continue to perform the day-to-day tasks that touch the digital world. One cannot stop human error or prevent bad motives. However, with the right awareness, priorities, and platform solutions, a company can bar the gates to entry and significantly reduce threats from the inside.
An ardent believer in personal data privacy and the technology behind it, Katrina Thompson is a freelance writer leaning into encryption, data privacy legislation and the intersection of information technology and human rights. She has written for Bora, Venafi, Tripwire and many other sites.
