One of the likely consequences of the global economic downturn is an increase in insider threat incidents.
Workforce reductions, and disgruntled and stressed employees are known risk factors for insider data breaches to occur. These are both non-malicious, due to mistakes, negligence and being tricked, and malicious, born out of resentment towards employers or for monetary gain.
David Higgins, senior director of the Field Technology Office at CyberArk, noted: “Insider threat as an issue is one that is getting bigger, driven in part by today’s difficult economic times.”
A report from DTEX and the Ponemon Institute in September 2023 found that the number of insider incidents increased to 7343 in 2023, up from 6803 in 2022, while the average annual cost of such incidents per organization rose to $16.2m from $15.4m in the same period.
During the 2023 National Insider Threat Awareness Month (NITAM), it is more important than ever for organizations to truly understand how insider threats manifest and how to address them.
1. The Majority of Insider Threats Are Non-Malicious
Contrary to what many believe, the majority of insider threat incidents are not malicious in nature. Non-malicious insider data breaches come in several forms – unintentional, due to negligence and/or mistakes, and those caused by nefarious actors duping employees into leaking sensitive information.
Stephan Jou, security analytics CTO at OpenText Cybersecurity, commented: “Inadvertent actions, such as negligent handling of sensitive information or unintentional security breaches, can pose serious insider threat risks. In my experience, these inside threats comprise the majority of the risks to the organization, much more than the headline-grabbing bad guys who intentionally cause harm.”
This analysis is backed up by the aforementioned DTEX and Ponemon report, which showed that non-malicious insiders accounted for 75% of incidents. This was made up of either negligence or mistakes (55%) or being duped by an external actor (20%).
These types of risks are exacerbated by stress and burnout, according to Higgins. “Not being on top of their game means security teams may not be as alert to potential risks as they should be,” he outlined.
“This increases the risk of them missing attacks, and the same situation can also mean that co-workers are more likely to fall victim to phishing attacks. Even well-meaning employees are likely to be responsible for accidental insider threats.”
2. Insider Threats Aren’t Just Committed by Employees
It is important organizations take a holistic view of insider threats, looking beyond employees to contractors, third-parties and suppliers. Jou outlined: “Insider threats can originate from employees, contractors, partners or any individual who has authorized access to an organization's systems, data, or facilities. It's important to consider insider risks from a broader perspective.”
As a result, organizations must work closely with third parties, to firstly gain awareness of who has access to what systems and data, and to ensure that access is restricted to those areas required by the individuals to do their job.
In addition, when a third-party relationship ends, organizations must ensure permissions to access sensitive information are promptly removed. If not, Higgins sad that the vendor can still access company assets, or an external actor could even hunt down these “orphaned” accounts and use them for malicious purposes.
"It's important to consider insider risks from a broader perspective”
3. Insider Threat Isn’t Just an IT Issue
As insider risk is, at its heart, a human issue, dealing with this issue cannot be limited to IT or cybersecurity teams. Instead, collaboration is required with departments like HR, legal and management, potentially alongside support from the executive or board leadership, said Jou.
This includes picking up on suspicious behaviors and employees that appear unhappy in their roles early, to quickly resolve any issues before they turn into potential insider threats. This could be non-malicious in nature, for example helping employees who are stressed or facing financial difficulties.
Jou stated: “Since individuals are involved (keeping in mind that, as noted above, those individuals are not always employees but sometimes contractors, partners or other humans connected to your business), a well-defined and funded response plan that pulls in HR, legal, compliance and management stakeholders at the right time becomes important.”
4. Traditional Security Tools Are Insufficient to Deal with Insider Threats
Identifying insider threats represents a different challenge for security teams to dealing with external cyber-attacks. This is because the perpetrators are authorized personnel, running authorized applications and performing authorized accesses.
As a result, Jou argued that standard monitoring and access control systems do not work for these actors. Instead, new AI and machine learning tools are critical to quickly identify suspicious behaviors from employees.
“This is why, from a monitoring and detection perspective, anomaly detection – analyzing behavioral patterns and looking for deviations from normal, predicted behavior – is such a keystone technique in insider threat detection,” he commented.
Roman Arutyunov, co-founder and SVP of products at Xage Security, said that businesses must employ a distributed and universal approach to access management to mitigate insider threat risk. He emphasized that in the hybrid working world, users should be authenticated for interactions with assets and data, regardless of where they are operating from.
“Many organizations implicitly trust users when they are onsite through shared accounts, static credentials or assets with no credentials at all,” he observed.
5. Specific Awareness Training Required for Insider Threats
With the majority of insider threats non-malicious in nature, highlighting to employees the ways they can be manipulated by nefarious actors online, and common mistakes that cause data leaks is essential. This should be separate to traditional cybersecurity awareness training programs.
“Realizing that the majority of insider threats really are the “clueless guy,” as noted above, a process that includes an educational component becomes an important defensive play,” stated Jou.
In fact, many employees may not even realize that actions like taking corporate data to a new employer are not illegal, so emphasizing the potentially severe consequences of such behaviors is critical.
Finally, employees should be encouraged and feel able to approach management for support when they feel stressed or have personal problems, as these are known risk factors for insider activities.