As the end of the year draws near, it is timely for organisations to take a step back and properly review their cybersecurity hygiene levels.
While this should always be a constant part of the process, cybersecurity complacency is rife within Australian organisations, despite the evolving threat landscape and shifting constraints.
So much attention is given to protecting organisations from tech-savvy cybercriminals operating from far-flung corners of the world, and for very good reason. Yet much less attention is given to pinpointing those who have every right to be in your network but who are malicious agents.
Disgruntled former employees. Trusted team members. Contractors. Partners. Whether intentional or not, the people closest to your business have the potential to misuse their access to assets and networks. In the process, they can sometimes do the most damage, even if they mean no harm.
Rogue employees or insider threats made up 10% of all malicious or criminal attacks notified to the Office of the Australian Information Commissioner (OAIC) in the first half of 2021.
Globally, it’s costing businesses a lot. The Ponemon Institute’s 2020 Cost of Insider Threats Report found the average global cost of insider threats rose by 31% in two years to US$11.45 million.
While security teams are focusing on keeping the bad guys out, it’s easy to miss what’s happening right behind them. The insider threat is very real, very hard to spot and makes balancing efficient daily workflows and stringent, always-on security a real challenge.
How do insiders operate?
Working undercover is how insider threats operate and it’s what makes them so difficult for cybersecurity experts. Motivated by a number of underlying factors, such as anger, financial struggles, political activism or outside influence, it’s not always easy to pinpoint who a potential malicious insider is, or what their particular motives are.
But they certainly have a leg up because, unlike outside attackers, insiders have legitimate access. They have knowledge of and access to sensitive information and can often legitimately bypass security measures.
That means malicious insiders can easily move throughout systems using stolen credentials from other corporate identities, elevating their access and worming further into privileged systems to steal data or use it in ways they shouldn’t.
For example, earlier this year the New South Wales corruption watchdog found a Service NSW employee was involved in ‘serious corrupt conduct’ in 2019, including agreeing to alter government records in exchange for money. The employee accessed the DRIVES database to improperly access the personal information of an individual, with the watchdog concluding that Service NSW failed to prevent or detect unauthorised access of DRIVES, and the agency’s quality control framework failed to adequately address misuse of information risks.
Before devising a strategy for shoring up security measures against threats in your organisation, it’s important to consider where this responsibility ultimately falls. Is it solely the purview of the security teams? Or do HR and legal bear some responsibility since insider threats track back to hiring and potential employee vetting?
The answer, like so much associated with the digital world, is the more communication and cooperation you have between departments and leadership, the better equipped you will be to uncover and mitigate threats from within.
And the fewer unmonitored pathways you have, the less likely malicious actors will be able to move about undetected. Focusing on those pathways is vital.
What can you do about it?
The rise of remote and hybrid work, cloud usage and increased reliance on alternate means of employee connection has caused the scope and consequences of insider threats to explode.
In this new reality, you can’t simply separate the “good” guys from the “bad” guys because they often look alike. What’s more, sometimes a person will start out as one and eventually become the other.
The solution is to trust no one until you can continuously verify that they are who they say they are. This zero trust approach applies to every type of identity — human insiders, human outsiders, machine users, applications and even devices.
Taking a zero trust approach goes a long way to proactively managing insider threats by limiting disruption, strengthening security resilience and protecting resources — particularly in hybrid cloud environments. In a perfect world, each insider should only have the privileges and permissions needed to perform their intended functions – nothing more, nothing less.
This approach makes operating in our new boundary-less world a whole lot safer, which is critical when millions of dollars and reams of sensitive data are at stake.