One of the biggest challenges cyber security leaders need to grapple with in today's world is that malicious actors aren't always distant entities but are often people you work with on a day-to-day basis. The reality is that any employee or contractor with physical access to IT systems can leak private information and cause a data breach.
As the Ponemon Institute’s 2022 Cost of Insider Threats: Global Report reveals, cyber insider threat incidents have risen 44% over the past two years, with costs per incident up more than a third to $15.38 million.
At the moment, only 11% of organisations consider their monitoring, detecting, and response to insider threats as extremely effective. If you're not part of one of those enterprises, then you'll need to implement insider threat prevention into your security strategy. That starts by having a clear understanding of what insider threats are.
What are Insider Threats? And Why Are They Important?
An Insider threat is any threat to your organisation that comes from within, i.e., someone who's part of your organisation, usually an employee or a contractor. Employees and contractors are insider threats because they have access to internal IT systems and hold intimate knowledge about your company's security defences.
There are two main categories of insider threats:
- Inadvertent/Negligent Insiders - Employees who make a mistake or engage in careless behaviour that leaves network infrastructure vulnerable to breaches.
- Malicious Insiders - Employees or ex-employees who attempt to steal/destroy private information for profit or revenge.
Inadvertent or negligent cyber insider threats are the most common, as anyone can make a mistake that leaves an entry point into your network that an attacker can exploit. This can be as simple as clicking on a link in a phishing email and entering your login credentials on a sophisticated phishing site.
The growing threat from Malicious Insiders
Malicious insider threats are becoming increasingly common and pose a growing significant threat.
“Because external security perimeter controls have gotten so good, ransomware and different Advanced Persistent Threat (APT) groups are now just resorting to bribing employees. The way that works is you go on to one of their forums that are often located on the deep web or in some cases even on the clear net.
'So, an employee of a company would post on a forum something like ‘Hey, I work as a helpdesk engineer at XYZ company? How does this work?’ In the case of ransomware gangs, they will give details and they’ll either give them access to something or they'll send a phishing email with a malicious link to the person who will then deliberately click it once received. As there is no penalty for poor cyber awareness the insider essentially gets away with it and once the attacker has what they want they will then pay the insider a cut of the ransom,” explains Integrity 360’s Principal Architect Zach Fleming.
A single breach can take months to detect and do irreparable damage to your business. Malicious threats also include employees selling sensitive data to third parties or trying to damage an organisation to settle a dispute.
The number of incidents where an employee has been bribed or even voluntarily worked with cyber criminals to give them access to an organisation’s networks has increased sharply.
Cybercrime is big business and gangs are constantly seeking out new ways to infiltrate networks with the most effective method being to offer payment to employees in exchange for access.
Both malicious and negligent of threats are hazardous because they are hard to detect, and by the time you realise that your defences were compromised, you will be wide open to substantial legal, reputational, and financial damage.
How to Detect and Stop Cyber Insider Threats
Detecting and mitigating insider threats isn’t easy, but there are some simple steps you can take to considerably improve your security posture:
Restrict User Access to Sensitive InformationOne of the simplest and most reliable ways to mitigate insider threats is to limit the number of employees with access to sensitive information. Using the principle of least privilege and only granting the minimum permissions for an employee to complete their responsibilities reduces the chance of unauthorised disclosure of private information.
Many commercial tools on the market allow you to manage user access to IT systems, including Identity and Access Management (IAM) solutions, which you can use to access permissions for IT services remotely.
Encouraging employees to change their passwords regularly and set strong passwords is one of the most effective ways to combat inadvertent insider threats. You can encourage employees to change passwords by sending out regular emails prompting them to change their passwords alongside actionable password advice.
Actionable guidance could include an email providing tips for creating strong passwords that tells the reader to avoids dictionary words, use a mixture of uppercase letters, lowercase letters, numbers, and symbols.
Security Awareness TrainingIf you're concerned that a number of employees aren't aware of the latest security best practices, then security awareness training is critical. Security awareness training will educate your employees on existing cyber threats like phishing scams and malware while teaching them how to use IT systems safely.
For instance, security awareness training can educate employees on the signs of phishing scams with phishing simulations, so they learn how to spot phishing attempts and don't get manipulated into giving up their login credentials.
User Activity MonitoringImplementing user activity monitoring with tools like Security Information and Event Management (SIEM) platforms and User and Entity Behaviour Analytics (UEBA) solutions is an excellent way to detect employees who start acting maliciously.
Continuous user activity monitoring will allow you to establish the normal baseline activity of a user and then identify when they exhibit abnormal behaviour such as multiple failed login attempts or file copying that could indicate something more malicious. After identifying suspicious activity, an administrator can investigate further to see if there is a security risk.
Clearly Document IT Usage PoliciesDocumenting your organisation's policy on data protection, privacy, incident response policy, passwords, and third-party access is vital for setting out your expectations for employees when they're using internal IT systems.
As part of your documentation, it's important to make clear what the penalties are for non-compliance so that if someone violates your policy, they know what the consequences are. These policies act as a deterrent for malicious and careless employees alike.
Implement Physical Access ControlAnyone who has physical access to a device for a prolonged period of time can compromise it fairly easily. The only way to get around this is to lock down critical areas like server rooms and employ security to prevent unauthorized employees from accessing protected IT systems.
By doing this, you will drastically decrease the chance of someone being able to tamper with a critical piece of your infrastructure. You can take this a step further by using biometric security features and badge access to ensure that no unauthorised employees can access protected information.
Read more about physical cyber security HERE
Start Small with Incremental Improvements
If your cyber security policy doesn't directly address insider threats, then you're extremely vulnerable to a data breach. That being said, don't start panicking if you don't have an insider plan in place. By taking incremental steps to mitigate insider threats, you can quickly make a big difference in your security posture.
However, if you want to optimise your strategy and ensure that you're completely protected against malicious or negligent internal actors, then working with a MSS (Managed Security Services) provider is a great place to start, as they will be able to provide you with custom guidance on how to protect your physical environment against internal threats.
Other factors to consider include ensuring employees are happy in their jobs. Poorly treated, overworked and underpaid employees are far more likely to seek to do harm against a company that treats them badly. HR (Human Resources) policies also play a key role in reducing the likelihood of a disgruntled employee becoming an insider threat.
Want to know how to protect your organisation from Insider threats?