Whether insiders or outsiders pose a greater cybersecurity threat is a matter of ongoing debate. However, recent or recently discovered data breaches prove that insider threats have become a major concern for companies everywhere.
Insider threats have meant an issue for organizations for a long time, but with digitalisation and increased connectivity they have become even more prevalent. During the past year, some of the biggest and most expensive data breaches were caused by inside actors. The Tesla data theft case, which involved large amounts of highly sensitive data transferred to unknown third parties by a malicious insider, clearly illustrates the danger of insider threats. Similarly, Suntrust Bank suffered a data breach, caused by an employee who stole the records of 1.5 million clients.
As the above examples prove, it’s no question that insiders represent a key cybersecurity threat regardless of the size and industry of the business, thus can expose organizations to breaches and put corporate data at risk.
The rise of insider threats
In contrast with external threats, in the case of internal threats the risk originates within the company and they are caused by a current or former employee, contractor, or business partner who has access to the organization’s network, systems, or data. Motivations behind stealing or leaking sensitive company data can be various, including among others malice, espionage and sabotage. Disgruntled employees or those seeking financial rewards or other personal gains as well as incidents caused by negligent insiders can be more challenging for organisations as these people usually have legitimate access to data. Internal threats can have a wide range of shapes including mishandling or misusing company or customer information, removing sensitive information from premises for unauthorized or unknown reasons, using unauthorized storage devices (e.g.USB drives), copying company or classified information unnecessarily etc.
Companies are increasingly implementing strategies for collaboration to make information sharing easier than ever. Workstream collaboration (WSC) platforms like Slack or Mattermost, adopted by a growing number of organisations in order to enhance productivity and collaboration, also create a new set of threat vectors and introduce inherent risks. The insider threat is very present with these tools, whether it is in the form of an employee accidentally sharing customer database, intentional disclosure of trade secrets, or Social Security numbers being shared to the public cloud.
The consequences and dangers of internal attacks are multiple; beyond the lost value of the asset that was disclosed, removed or destroyed, businesses can suffer losses of revenues as well as of intrinsic value. Furthermore, these can have cause operational disruption and depending on the size of the organization, the type of the cyber incident and the required mitigation actions it can involve high remediation costs. Liability costs include compliance fines, breach notification costs, higher insurance costs and litigation costs. The reputation of the business although it is difficult to quantify, is also among the most affected aspects.
Mitigating insider threats
Insider threats can be challenging to combat as humans are hugely complex, displaying a matrix of emotions and motivations behind their actions. However, mitigating these risks in not impossible. Businesses should have appropriate detection and response data security controls, instead of simply trusting employees to keep sensitive data safe. Let’s check what can companies do to reduce risks related to internal attacks.
Combating insider threats requires not only a different focus and approach, but also a different mindset. “Security is everyone’s business” is a message that companies should reinforce frequently. Educating entire teams with little to no technical background can be difficult, however the importance and best practices of cybersecurity should be known by all employees.
Having a security policy to protect against insider threats is also an extremely important aspect. A security policy should include procedures to prevent and detect malicious activity, and should include an incident response policy, a third-party access policy, an account management and a password management policy as well. Companies should also locate where their sensitive data resides and determine who can have access to it.
Implementing robust technical controls are also an important step in mitigating insider threats. Traditional security measures tend to focus on external threats, but these usually are not efficient in identifying an internal risk emanating from inside the organization. In order to protect assets, several tools should be implemented. For example, solutions like encryption and Data Loss Prevention (DLP) can prevent data exfiltration by insiders.