Whenever someone talks about cybersecurity attacks, the same image comes to mind: hackers hiding in poorly-lit basements breaching systems by force of code. Most of us think about the dark web, malware, online scams, and phishing attacks. We think of armies of hackers answering to the whims of despotic leaders. We even blame entire countries such as Russia and China for cyberattacks.
Unfortunately, focusing on those cliche-fed images makes us lose sight of a far more crucial aspect of cybersecurity – insider threats. The malicious or negligent actions of employees and partners can be as damaging as those coming from external malicious actors. But since we aren’t used to thinking about them, they have gone mostly unnoticed – until today.
In a recent survey, 73% of organizations say insider attacks are becoming more frequent. What’s more – 68% of them feel moderately to extremely vulnerable to insider attacks. So, it’s not a surprise that more and more people are starting to pay attention and worrying about it. By doing that, organizations are finally understanding that the first thing to fight against insider threats is making the problem more visible. That’s why we’re going to review the basics here.
What’s an Insider Threat?
As its name implies, an insider threat is someone that works within an organization and that represents a risk for said organization’s security. Employees, former employees, providers, and business associates are all potential insider threats since they all have access to inside information about the organization’s security practices.
There are 3 categories of insider threats, including:
- Malicious insiders: people that actively take advantage of their access to do harm to the organization.
- Negligent insiders: people that willingly or unwillingly ignore security practices, opening the door for external threats to breach into an organization’s system.
- Infiltrators: people that acquire legitimate access to information but that aren’t officially authorized to use it.
These 3 categories have a clear differentiation. While malicious insiders and infiltrators have the goal of stealing information, negligent insiders are just careless people that aren’t paying enough attention to security. Even when one could argue that the former are more dangerous (as they are actively seeking to do harm and know their way around security systems), the truth is those negligent insiders are as equally damaging. That’s simply because, when a breach happens, intent doesn’t matter.
The distinction does help, though, as organizations will take different actions depending on the category of the insider threat.
What Can Organizations Do
Any organization that has sensitive information should have a security strategy in place that has measures to mitigate the risk associated with insider threats. There are a lot of things an organization can do, including some of the following.
- Risk assessments. The old saying that you’re as strong as your weakest link applies marvelously here. That’s why it’s important to know the organization’s critical assets, their vulnerabilities, and the threats that might affect them.
- Security policy enforcement. Having a strong and comprehensive security policy won’t do anything if the organization doesn’t enforce it. The IT department has to be vigilant regarding everything related to general data protection, incident response, access privileges, users, and passwords. Apart from monitoring the correct implementation of the policy, the organization should also penalize everyone that doesn’t comply with it.
- Separation of duties and least privilege. All data should be encrypted and require the authorization of at least 2 high-level users to be copied, deleted, changed, or moved. The organization should also define access privileges based on roles and their specific needs. That way, employees will only have access to data that’s relevant for their job.
- Third-party security agreements. Companies that are using cloud services, hiring developers, or working with third-party providers of any sort should have strong security agreements. The organization should assess the risk of outsourcing part or all the job to an external vendor and see that the potential candidates are at the same security level as the organization.
- Hardware and documentation recycling. Organizations should be very careful when disposing of old hardware and documentation. Before discarding them, the company should completely erase all sensitive information and be sure that data is beyond recovery.
- Employee termination. Resentful ex-employees can easily become insider threats. That’s why organizations need to work closely with HR to define the best termination procedure to legally and technologically protect the company from former employees that could have had access to sensitive data.
- Periodic security training. Since a lot of people aren’t aware of the insider threat problem (or about security issues in general), it’s best if organizations have continuous training programs based on security policies. Training should be mandatory for all employees and should be reviewed periodically to keep the knowledge fresh and relevant.
Of course, these are only some of the many measures available to address the insider threat issue. All of them should be part of the organization’s enterprise-wide security strategy. What’s more – all of these measures should be in place in companies of all sizes and across industries, because no one is safe from potential insider attacks.
Why Companies are so Worried About Insider Threats
Recent research shows that the extended enterprise is seriously vulnerable to insider threats. In fact, it estimates that 80% of the cybersecurity incidents are a direct effect of an employee, whether intentional or not. That turns insider threats into the biggest security issue for modern organizations – by far.
This is changing the security focus across organizations, which, as of recently, has mostly been concentrated in external threats. This paradigm shift is uncovering new challenges. The most pressing one? That insider threats are becoming increasingly harder to detect. In fact, 56% of executives feel that moving to the cloud (a must for a lot of companies) is contributing to the phenomenon.
So, given that companies want to migrate to the cloud for its numerous advantages, they are trapped between a rock and a hard place. Either they migrate to the cloud and face the challenge of detecting insider threats, or they don’t migrate but lose a competitive edge. Things, however, don’t have to be this black or white.
Modern security advances (especially with the aid of artificial intelligence and machine learning) are making it easier to monitor user activity and detect abnormal behavior. That, coupled with a sensible and coherent security policy and constant employee training can reduce the risk of an insider threat attack to a minimum.
Rather than sit down and worry about it, organizations would be better off by starting acknowledging the problem and acting on it. Informing themselves, investing in new tools, and getting the right training are some of the best paths they can take if they are to face this rise of insider threats.