Insider threats are nothing new.
Unfortunately, the cybersecurity landscape is littered with cautionary tales of businesses that have fallen victim to attacks from within. In recent years, however, insider incidents have increased rapidly, up by almost 50% between 2018 and 2020.
And the consequences can be severe. According to the 2020 Ponemon Institute Cost of Insider Threats report Insider attacks are estimated to cost businesses around US$11.45 million per year.
While many organisations are increasingly aware of the threat posed by insiders, the modern workplace makes prevention increasingly difficult. As many of us are now well-accustomed to remote and hybrid working, it is unlikely that we will ever return to the norms of the office environment, rendering many of the existing approaches and platforms legacy and in need of Cyber strategies to keep up with digital transformation.
The resulting reliance on cloud setups, changing work hours and behaviour, and a lack of visibility make insider threats, whether malicious or negligent, much harder to defend against.
So much so, Forrester estimates that in 2021, one-third of all cyberattacks will be insider driven. Up from 25% currently.
Faced with this growing threat, the case for a comprehensive Insider Threat Management (ITM) solution is indisputable. Now more than ever, organisations must implement robust ITM programmes, combining tools, technology, process, and, perhaps most importantly, people.
Understanding insider threats
Traditional cyber defences are perimeters, built to protect from the outside in. Insider threats require a defence capable of protecting your data, networks, and systems in a perimeter-less environment.
This requires a different approach, with tailored tools, strategies, and awareness training – a fact that worrying numbers of organisations continue to overlook. Proofpoint’s 2021 State of the Phish report shows that while 98% of surveyed organisations had a security awareness training program in place, only 64% offered formal training sessions to users as part of cybersecurity training initiatives.
To make matters worse, insider threats come in many forms. From those intentionally seeking to do your organisation harm to those doing so by accident. And others who aren’t really “insiders” at all.
The most common negligent threats account for almost two-thirds of all incidents. They occur when a user unintentionally allows a threat actor access to your data and systems. This could be by clicking on a malicious link, misusing their password or accidentally exposing sensitive data.
While less common, malicious threats are often more damaging – costing an average of US$755,760 per incident, compared to US$307,111 when caused by negligence. Malicious threats can be driven by employees seeking revenge, financial gain, or by cybercriminals who have compromised legitimate accounts to get inside your networks.
The third type of insider threats are when accounts are compromised – costing an average of US$871,686 per incident. These involve an imposter or credential thief who targets user’s login information to gain unauthorised access to applications and systems – these represent the costliest type of insider threat.
In any case, insider threats are notoriously difficult to detect and defend against. Negligent insiders with no motive may display few warning signs. Malicious attackers, meanwhile, will go to great lengths to cover their tracks and avoid arousing suspicion.
Add to this a relatively new way of working, a disparate workforce, and many more points of attack, and the challenge facing cybersecurity teams becomes abundantly clear.
The hybrid factor
Hybrid environments not only increase the risk of insider threats occurring, but without a comprehensive ITM programme in place, they also make them much harder to detect when they do.
Though many organisations are now accustomed to hybrid working, it still remains a relatively recent development. Cybersecurity teams are still learning about the telemetry of their logs, with users accessing networks from various locations and devices, and at times that may once have been considered unusual.
With flexible work patterns now commonplace, trends are much harder to spot. Behaviours traditionally considered suspicious may no longer raise alarm. Most organisations also now have many more access points, vastly increasing the potential attack surface.
Then there is the social and psychological impact of flexible and hybrid environments. Outside of the office, users may be more inclined to veer from best practice just to “get things done”. Whether this means using personal machines for convenience or corporate machines for personal tasks, writing down passwords, or improperly accessing systems and data.
Most concerning of all, many users may not even be aware of the required security best practice when working from home. As of the end of 2020, just 36% of businesses had trained users on safe remote working habits, despite 92% shifting to remote working.
Working from outside the office also brings its fair share of distractions, from daily chores to home comforts. All of which can make users more prone to simple yet costly mistakes. While those with a sinister intent may feel they can operate more freely outside of the corporate atmosphere.
Building an Insider Threat Management Programme
Effectively detecting and deterring insider threats in the modern workplace may be difficult, but it is by no means impossible.
The solution is a comprehensive ITM programme, combining controls, process, and people. This starts by building a dedicated insider threat monitoring practice tasked with monitoring and investigating suspicious activity.
A people-centric ITM programme requires specific resources such as monitoring tools capable of detecting data exfiltration, privilege abuse, application misuse, unauthorised access, and risky and anomalous behaviours.
Allow this team to develop and deploy clear best practice policies for hybrid working, covering system and network access, user privileges, password hygiene, unauthorised applications, BYOD, data protection, and more.
Finally, the cornerstone of any robust ITM programme is Cyber awareness and knowledge. Your ITM team must have a rich understanding of your data activity. Essentially, who is accessing what data – when, why and through which platform. This contextual intelligence can help to establish motives and intent which is key to spotting early warning signs of insider threats.
Users must also be equipped with the awareness and knowledge to protect themselves and your organisation. This is only possible through ongoing and adaptive security awareness training. Training should go beyond multiple-choice tests and basic security hygiene, focusing on the importance of behaviour. In fact, Proofpoint’s 2021 State of the Phish report found that 80% of organisations say security awareness training has reduced phishing susceptibility across their employee base.
Whether at home, in the office, or in between, individuals must know the standards that are expected of them and the role they play in keeping your business safe.