When thinking about cybersecurity, we envision malicious actors working in dark basements, honing their tools to invent cunning new ways to breach our defenses. While this is a clear and present danger, it's also important to understand that another hazard is lurking much closer to home - the insider threat.
These attacks have devastated entities in all sectors, with severe repercussions. These incidents can vary from straightforward acts of fraud or theft to more elaborate sabotage attempts. This is concerning because the recent IBM 2024 Cost of Data Breach survey found that the cost of a data breach is a staggering USD 4.88M, a 10% increase over the year before and the highest total to date.
Shockingly, Verizon research revealed that a staggering 83% percent of data breaches in 2022 involved internal actors, and IBM's research found that malicious insider attacks were revealed to have the highest average cost, at USD 4.99 million.
An Inside Job
Insider threats fall into two main categories. The first is the careless or negligent insider, who emails sensitive information to the wrong person by mistake, leaves a USB lying around, or loses their phone with sensitive business data on it. The other type is the malicious insider, usually disgruntled or greedy employees who want to cause harm to the business or profit from nefarious activities.
Unfortunately, internal breaches often go undetected and are sometimes not reported by companies, as organizations are disinclined to share the details of what they view as a damaging and embarrassing incident.
Insider attacks are practically a "perfect crime" because insiders have a distinct advantage over outsiders: they work for their company, they have legitimate credentials and authorized access to the systems and resources. They know the company's protocols and procedures and sometimes even its weak spots. An outsider has to go through multiple steps just to gain the access the insider already has. Each of those steps is an opportunity for an attacker to be discovered and foiled.
The Root Causes of Insider Threats
When it comes to the causes of data breaches, both malicious and accidental, research by the Ponemon Institute revealed that malicious or criminal insiders account for 26% of incidents. These insiders—employees or authorized individuals—exploit their data access to engage in harmful, unethical, or illegal activities. As employees today are often granted broader access to information to boost productivity in a work-from-anywhere environment, identifying malicious insiders becomes more challenging compared to external attackers or hackers.
More worryingly, the negligent insider emerged as the leading cause of most incidents, with 56% of reported insider threat cases stemming from careless actions by employees or contractors. This carelessness can manifest in various ways, such as failing to secure their devices, disregarding the company's security policy, or neglecting to apply necessary patches and updates.
These insiders are responsible for the bulk of incidents because employees often don't share IT leaders' perspectives on company data ownership and may underestimate the associated risks, sometimes not realizing that sharing data insecurely is wrong. This underscores the need for organizations to prioritize user education on data ownership. Clear policies and awareness training are essential to clarifying employee responsibility for protecting the company's intellectual property.
Additionally, accidents are increasingly common due to the rapid growth of unstructured data in emails, messaging apps, and collaboration platforms, which makes sharing information easy. This convenience can lead employees to inadvertently share sensitive company information in ways that violate corporate or regulatory policies.
Deter, Detect, Respond
To prevent insider attacks, security solutions should focus on three key areas:
- Deter: Implement proactive measures to enhance security hygiene, making the environment less appealing for attackers.
- Detect: Identify signs of an attacker's presence as early as possible.
- Respond: Act quickly to mitigate attacks while minimizing disruption to business operations.
Despite organizations expressing confidence in their detection capabilities, many struggle with effective response, deterrence, and operational improvements. A barrier to better detection is the inability to prioritize alerts, exacerbated by a shortage of skilled personnel and resources. Compliance imperatives may help ensure a baseline of standard security practices, but they are also a major obstacle to achieving better threat detection.
Many organizations face a "fog of war" regarding insider threats due to unclear communication of risk priorities. This results in suboptimal security technologies that do not address the most significant risks. Also, not enough organizations effectively track critical business systems.
Focus on Lateral Movements
Leadership buy-in is crucial for implementing technical solutions that keep an eye on insider movements. Attackers often exploit existing business connectivity, making them difficult to detect. To mitigate this risk, entities should apply the principle of least privilege to user permissions and remove unnecessary credentials, especially for high-privilege accounts.
Employing Identity and Access Management (IAM) and Privileged Access Management (PAM) solutions can help maintain a secure environment. Change monitoring, combined with a robust change management process, can identify unauthorized activities and reveal potential insider threats.
Fostering Positive Behaviours
Addressing the cultural factors that lead to negligence and malicious behavior is vital. Fostering positive cybersecurity behaviors is more effective than punitive measures. While training and phishing tests are common, they often overlook the underlying attitudes that influence behavior.
Coaxing senior executives to promote the importance of cybersecurity can help with workforce buy-in. Firms should also measure both behavior and attitudes to develop targeted interventions. Analyzing workforce trends and designing changes in governance and processes can address the root causes of malicious behavior, ultimately boosting employee morale and reducing security risks.
Ongoing, Iterative Processes
Insider threats will always be a dire risk and a major culprit behind data breaches, financial fraud, IP theft, and more. To mitigate this scourge, businesses must adopt a proactive stance and implement effective controls and measures to guard sensitive data, manage vulnerabilities, and reduce the chances of exposure or misuse of their data assets.
Moreover, improving security behavior should be an ongoing, iterative process. The human factor in cyber-security is never "fixed," and there is no silver bullet solution. Human skills, knowledge, leadership, and technology can be used to strengthen an organization's cybersecurity. Fortunately, Tripwire provides a range of technical solutions to help you combat insider threats.
For instance, Fortra Vulnerability Management provides visibility of insider actions, identifies weaknesses that they could use against you, and makes these events actionable with real-time alerts, automation, and reporting.
Editor's Note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire
Mastering Security Configuration Management
Master Security Configuration Management with Tripwire's guide on best practices. This resource explores SCM's role in modern cybersecurity, reducing the attack surface, and achieving compliance with regulations. Gain practical insights for using SCM effectively in various environments.
