Inside danger: 5 steps you can take to combat insider threats

It all started innocently when a Tesla employee accepted an invitation from a former colleague for drinks. Several eating and drinking sessions later, the old acquaintance made his true intentions clear: he offered Tesla employees $1 million to smuggle malware into the automaker’s computer networks in a scheme that, if successful, would allow a cyber-crime ring to steal critical data from Tesla and hold onto it. ransom. Profit, plot fail after the employee has done the right thing – reported the offer to the employer and cooperated with the FBI bringing his old partner to justice.

However, these results should not obscure the fact that things could easily turn the other way around. Indeed, the attempted attack is a reminder that employees are not only an organization’s greatest asset, but often their greatest cyber risk – and one that often goes undetected.

Some stats will help drive the points home. According to Verizon’s 2023 Data Breach Investigation Report (DBIR), 19% of the approximately 5,200 data breaches examined in this study were caused by internal actors. Meanwhile, a Ponemon Institute survey of 1,000 IT and IT security professionals from organizations who have experienced “material insider-caused events” found that the number of insider-related security incidents has increased by 44 percent in just two years. He 2022 Cost of Insider Threats Global Report pegs the number of these events at over 6,800, with affected organizations spending $15.4 million annually on insider threat fixes.

The attack surface widens – for insider threats too

Acute cyberthreats such as software supply chain attacks, business email compromise (BEC) fraud, and other scams leveraging stolen employee logins, along with ransomware and other attacks often facilitated by the rapidly evolving cybercrime business model as a service, have pushing cybersecurity to the top of the boardroom agenda.

With the rush towards digital transformation, the shift to cloud-enabled flexible work arrangements, and a growing reliance on third-party suppliers, every organization’s attack surface has expanded rapidly. The cybersecurity landscape is now more complex than ever, and because attackers are relentlessly leveraging this complexity, pinpointing and prioritizing the most critical risks is not always an easy proposition.

Muddying the waters even further, holding off external aggressors is often only half the battle. Insider threats don’t usually get “highest billing” even if the impact of an insider-led incident is often even more dire than the impact of an incident solely caused by an external attacker.

Right under your nose

Insider threats are a type of cybersecurity threat that originates from the depths of an organization, as they usually refer to current or former employees or contractors who can cause damage to corporate networks, systems or data.

Insider threats are usually divided into two broad types – intentional and accidental, with the latter being further broken down into unintentional and reckless acts. Studies show that most insider-related incidents are caused by carelessness or negligence, not malicious intent.

Threats can take many forms, including theft or misuse of confidential data, destroying internal systems, giving access to bad actors, and so on. Such threats are usually motivated by several factors, such as finance, revenge, ideology, negligence, or malicious intent.

These threats pose a unique security challenge in that they are difficult to detect, and even more difficult to prevent, including because insiders have a much larger window of opportunity than external attackers. By nature, employees and contractors need legitimate and elevated access to organizational systems and data to do their job, meaning that threats may not become apparent until an actual attack occurs or after the damage has been done. Insiders are also often aware of their employer’s security measures and procedures and can circumvent them more easily.

Also, while security clearances require a background check, they don’t strictly take personal state of mind into account, as that can change over time.

Nonetheless, there are certain steps organizations can take to minimize the risk of insider threats. They rely on a combination of security controls and a security-aware culture and range of tools, processes, and people.

Preventive measures to reduce the risk of insider threats

These measures are not the be-all and end-all for cybersecurity, but they will go a long way in protecting an organization from insider threats.

1. Apply access control: Implementing access controls such as role-based access control (RBAC) can help limit access to sensitive data and systems to only those employees who need it to perform their job duties. By granting access only to employees who need it for their job duties, companies can significantly reduce their exposure to insider threats. It is also important to regularly review these access rights to keep the level of access appropriate and aligned with the employee’s role.
2. Monitor employee activity: Implementing monitoring tools to track employee activity on their company devices or networks can help identify suspicious behavior that might be indicative of an insider threat. Monitoring can also help detect unusual data transfers or abnormal access patterns to sensitive systems and data. However, be sure to ensure compliance with local regulations and establish clear guidelines on monitoring to address potential privacy concerns.
3. Perform a background check: Conducting background checks on all employees, contractors and vendors before granting them access to sensitive and confidential data can help identify any potential risks. This check can also be used to verify a person’s employment history and criminal record.
4. Organizing security awareness training: Providing regular security awareness training to employees is critical in helping increase their understanding of cybersecurity risks and how to mitigate them. This can help reduce the possibility of accidental insider threats, such as falling victim to phishing.
5. Data loss prevention: Implementing a DLP system can help prevent data loss or theft by monitoring, detecting, and blocking the unauthorized transfer or sharing of sensitive data. This can help mitigate insider threats but also protect confidential data. The caveat here, however, is that DLP providers are also in the crosshairs of attackers, adding to the worry.

It should be noted, none of these steps alone are foolproof, and no single solution can completely eliminate an insider threat. But by implementing a combination of these measures, and by regularly reviewing and updating security policies, businesses can significantly reduce their exposure to insider threats.

Top pick: security awareness training

This is the top pick of the steps described for several reasons. First of all, this training helps businesses save some money by reducing the risk of accidental insider threats.

Most often, employees are not aware of the specific cybersecurity risks and may unknowingly click phishing links, download malware, or share confidential internal data, leading to data breaches or other incidents. By providing employees with regular training, these types of incidents can be prevented, reducing the costs associated with these insider threats and the reputational damage associated with legal violations and issues.

Additionally, providing security awareness training can improve personal cyber hygiene and the overall security status of a company, leading to increased efficiency and productivity, as employees who are trained to recognize and report security incidents can help detect and mitigate security threats early, thereby reducing impact. and the costs associated with them.

However, implementing a combination of measures tailored to a company’s specific needs is still the best approach to combating insider threats and saving costs in the long run.