Security teams can be so focused on blocking cyberattacks from external actors that they forget the potential threats within their organizations. Verizon reports that insider threats cause almost 20% of all breaches.
Insider threats are difficult to defend against using traditional threat prevention measures because insiders inherently require elevated trust and access to get their jobs done. As a result, malicious insider attacks remain undetected for an average of 216 days in 2022, with a mean time to contain 68 days, according to the IBM Cost of Data Breach report. However, insider threats are not only malicious; they can also be accidental human errors. Even in this case, businesses require 189 days to identify the mistake.
The longer the incident – whether malicious or negligent – goes undetected, the higher the cost for the organization. The IBM report mentioned above indicates that the average cost of a data breach caused by a malicious insider is $4.18 million, while the equivalent cost for accidental data loss is $3.94 million.
Organizations of all types and sizes are vulnerable to insider threats – from family-owned small businesses to Fortune 100 corporations, local and state governments, and public infrastructure to major federal departments and agencies. Despite the challenges, companies can effectively defend against insider threats by investing in the right combination of policies, training, systems, and oversight.
Let’s Define Insider Threats
Insider threats exist because organizations grant trust and access to individuals. Organizations rely on insiders to perform every business function – from the most basic to the most sensitive.
NIST defines an insider threat as the potential for an insider to use their authorized access or knowledge of an organization to harm that organization. This harm can include malicious, negligent, or accidental actions that impact the confidentiality, integrity, and availability of the organization, its data, personnel, facilities, and assets.
Although the fundamental disposition of an insider threat may be similar for many organizations, the manifestation of the danger may be vastly different, depending on the nature of the organization, the sector type, the products and services performed, and the assets that organizations should protect from loss, compromise, damage, or theft.
Broadly, insider threats originate from two primary kinds of activity: unintentional and intentional. Unintentional actions can be further broken down into negligent and accidental acts. A negligent insider can expose an organization to a threat by their carelessness, while an accidental insider makes a mistake causing an unintended risk to an organization.
On the other hand, intentional or malicious insiders can intentionally take actions that harm an organization for personal benefit or to act on a personal grievance. Some intentional insiders are motivated by disgruntlement related to resentment, ambition, or financial pressure. Others may desire recognition and seek attention by creating danger or divulging sensitive information. They may even think they are acting for the public good.
The potential consequences of an insider incident vary and may include financial loss, loss of privacy, unauthorized disclosure, damage and disruption of services, and data theft.
Don’t Rely on Traditional Threat Prevention
Insider threats can be more challenging to identify or prevent than outside attacks. They are invisible to traditional threat prevention solutions focusing mainly on external threats. If an insider exploits an authorized log-in, the security mechanisms may not identify the abnormal behavior. Moreover, malicious insiders can go undetected knowing about an organization’s security measures.
Besides the complexities of identifying an insider threat within the organization, emerging technologies and work trends make detecting and preventing insider attacks more difficult. The prevalence of BYOD, the proliferation of SaaS tools and applications, and data migration to the cloud have obscured corporate perimeter. The variety, breadth, and dispersed nature of access points make it harder for businesses to control the security environment and give malicious insiders the advantage of hiding their tracks.
Invest in an Insider Threat Mitigation Program
Despite the significant costs associated with an insider incident and a strong value proposition for managing this threat, many organizations have no formal insider threat program. Beyond the financial ramifications of an insider incident, every organization must care for its members. Organizations are responsible for ensuring that their employees and partners are safe.
The cost of managing and recovering from an insider incident is significantly higher than establishing and maintaining an insider threat program. Organizations that create or enhance an insider threat mitigation program will experience a return on investment (ROI), both intangible and tangible, including:
- Positive security culture
- Increased culture of shared responsibility
- Early identification of threats
- Reduced time to detect threats
- Protection of business brand and reputation
Effective insider threat mitigation programs employ tools “that help businesses detect, investigate, and respond to insider threats to their data. Those practices and methods will limit the impact of the damage an insider can do, whether the act is malicious or unintentional.
CISA has published a guide to help businesses build an insider threat mitigation program. According to the Agency, an effective program should be able to detect and identify abnormal actions, assess threats to determine business risk, and implement solutions to manage and mitigate the potential impact of an insider incident.
A holistic insider threat mitigation program combines physical security, personnel assurance, and information-centric principles. Its objectives are to understand the insider’s interaction within an organization, monitor it appropriately, and intervene to manage it when it threatens the organization.
Successful insider threat mitigation programs address three core principles, which apply to organizations of all sizes and maturity levels:
- Promote a protective and supportive culture.
- Safeguard organizational valuables while protecting privacy, human rights, and liberties.
- Remain adaptive as the organization evolves and the risk environment changes.
On the technology stack level, there are many tools that organizations can leverage, including data loss prevention (DLP), User Behavior Analytics (UBA), Privileged Access Management (PAM), access control systems, SIEM, and others. A formal training and awareness program must supplement all these. The training program must include all employees since highly aware and adequately trained personnel is vital to the early detection and prevention of an insider threat, as they can act as sensors who can report anomalous or unauthorized activity or concerning behaviors.
The consequences of an insider incident can ripple through an organization and community with devastating outcomes and long-term negative impacts. Preparedness is a shared, organization-wide obligation. As individuals, we each have a role in recognizing insider threats and reporting concerning behaviors.