What are insider threats in cybersecurity? An insider is an individual who has or had permission to access a company’s resources. This can range from knowledge of the organization’s infrastructure, facilities, personnel, equipment, information, and more. Insiders can be current or former employees, top officials, and even third-party contractors.
Insiders often pose a bigger threat to organizations than outsiders. Whether it’s accidental or intentional, insiders can cause millions of dollars worth of damage.
Insiders typically have access to some if not all of the applications that the organization uses to store data. Misconfigurations and mistakes in handling these data and resources lead to breaches and credential theft. In fact, according to surveys, two out of three insider incidents are the result of negligence, not malice.
In the case of malicious insiders, they can move and exploit teams from within. Insiders often have knowledge on how to best access or degrade their organization’s network or target high-value individuals.
Insider threats have risen 44% over the past few years, according to studies. At $15.38 million per incident, insider threats can be difficult to detect, but security leaders can identify certain areas of the business prone to such risks and focus on bolstering them to protect the company from such attacks.
Companies need cybersecurity solutions that provide Unified Visibility, cross-channel event correlation, and agentless architecture to protect themselves from insider threats. Basic protection protocols, though important, are no longer enough. Organizations need advanced insider detection and response protocols in place.
- Insider threat incidents have risen 44% over the past two years, with costs at about $15.38 million per incident. (Ponemon Institute)
- Credential theft has become the most common form of insider threat with a 65% increase. In monetary form, that’s $2.79 million (2020) to $4.6 million (2022). (Ponemon Institute)
- Negligence is the cause of more than two out of three insider incidents. (Observe IT)
- For 55% of organizations, their greatest insider risk comes from their privileged users, who are prone to accidentally revealing their administrative data. (Observe IT)
- 85% reveal that they “find it difficult to determine the actual damage of an insider attack.” (Security Roundtable)
- The top three reasons for an insider threat attack, according to a study, are Fraud (55%), Monetary gains (49%), and IP theft (44%). (Fortinet)
- The most vulnerable departments of an organization, on the other hand, are Finance (41%), Customer access (35%), and Research and Development (33%). (Fortinet)
- US-based organizations are exposed to about 2500 internal security breaches daily. (IS Decisions)
- Financial companies have the highest insider threat cost, spending about $21.25 million which is 47% more than last year. Second highest is retail, with $16.56 million, a 62% increase from the previous year. (Ponemon Institute)
With the evolution and massive adoption of cloud communication channels, the threat surface for insider threats has rapidly expanded.
This comes in the wake of the “Great Resignation”, which shows no signs of slowing down. Moreover, rising inflation, tight budgets, and sky-high interest rates have turned people anxious and uncertain, especially in their workplace stature.
All these manifest into some of the following:
- Churn – in certain areas, employees are no longer happy and leave their companies for greener pastures. They often end up with competitors in the same industry.
- Employee anxiety – a LinkedIn poll reveals anxiety levels rising as worrisome headlines and hiring freezes leave workers concerned about their employment.
- Overtaxed workers – employees are forced to do more with less due to the organization’s inability to fill their vacancies or their decisions to freeze hiring. Furthermore, workers can experience cognitive overload due to watching/interacting with a lot of different communications channels, moving between email, phone, Slack, and more.
These conditions contribute greatly to the proliferation of insiders and the risks they bring to your organization’s security posture.
Take note: The human element of cybersecurity is valuable, but it’s also extremely vulnerable. The fact is that your employees have a certain level of control over your data, systems, equipment, and networks. Whether it’s accidental or intentional, they have the power to threaten your organization and its security.
One of the biggest risks is that internal data is typically available 24/7, and insider threats can exploit this risk. An unfortunate example was a company known as Code Spaces, which was forced out of business after an insider deleted all of the company’s data and backups.
Organizations have also rapidly adopted cloud-based communications and platforms to support the new normal of workforce operations. However, it’s becoming increasingly clear that security teams are losing insight and control into the intent and context of employee communications.
Insiders don’t often impersonate CEOs and executives like social engineers do, but all they need is to convince others in the company to grant them access to data and resources they don’t have. Workers also send so many messages back and forth through channels like Teams and Slack that determining which ones are benign and which ones are malicious can be a massive headache.
IT professionals know that organizations can be extremely vulnerable to insider threats. That’s because insiders have the best knowledge about how to infiltrate the internal network, especially those with administrative access to sensitive systems.
Furthermore, is the SOC capable of correlating risks in multiple communication channels? The problem is that most security tools are directed outward, set to focus on external threats and incoming malicious payloads. Often, insiders are overlooked or, if not, guarded by legacy tools that rely heavily on endpoint agents to detect file movement.
Unfortunately, the amount and speed of data that companies now have to handle, combined with the proliferation of BYOD practices, make such legacy tools difficult to manage. Additionally, traditional agent-based insider threat tools can also be very heavy on network compute power. While they can be deployed to managed devices, they miss entirely BYOD tablets and phones entirely. Companies need agentless protection, especially for applications accessible from browsers.
With threats now across both the email environments and the cloud workspace, monitoring inbound and outbound communications has become highly crucial. This includes oversight across email, collaboration platforms, mobile chat, and social media channels.
Moreover, gaining insight and context into internal communications is now a must. Preventing both external and insider threat scenarios require analysis of threats against risk signatures such as topics, behavior, lexicon, and more.
Insider threat types can broadly be sorted into two categories; intentional or accidental. Beyond these two designations, insiders can take many forms:
A user can inadvertently leak sensitive data using cloud-based communication apps due to lack of training, carelessness, or compromised security. However, this is purely unintentional and most of the time, it gets flagged by security before it gets worse.
For example, a large Brazilian company approached the SafeGuard Cyber team seeking help. They use WhatsApp for their customer communications and, unfortunately, one of their employees had accidentally hit send on a message that contained an entire CSV file full of customer data!
This was purely accidental, and a result of a clipboard error. The file happened to be the last thing the employee had copied before opening WhatsApp. However, the error was embarrassing and potentially costly.
To proactively prevent this, organizations need a security platform powered by Natural Language Understanding (NLU) technology and cloud-based machine learning (ML). This powerful combination allows companies to detect security incidents and compliance violations in various contexts and languages. The data that passes through communication channels would be subjected to real-time policy supervision and automated quarantine, as needed.
The result? Data secured and compliance violations averted.
Co-workers that are dismissed or terminated from employment can end up holding a grudge against the company, and decide to take more than their share of memories when they leave.
A disgruntled ex-employee can potentially access sensitive data or systems and cause major damage. Case in point: An ex-Cisco employee gained access to the company’s cloud infrastructure and deleted 456 virtual machines by deploying malicious code. This resulted in:
16,000 Webex Teams users losing access to their account for two weeks
Approximately $1.4 million in employee time spent to audit the infrastructure and fix the damage; and,
A total of $1 million paid in restitution to affected users
Even those who leave the company on good terms can sometimes take sensitive data with them without meaning to. And then there are people who chat their colleagues, “I hear layoffs are coming. Yeah, well if they fire me, they'll be sorry.” To counteract this, an enterprise needs a proper offboarding process to make sure that leaving employees surrender their access to company tools and any company property they have. Companies also need solutions that can alert on risky and suspicious messages, as pointed out above.
Stealing for the purpose of selling to a competitor is not a new phenomenon. Some employees steal trade secrets, intellectual properties, and more, in exchange for money, or a better position at a different company, or for just plain malice.
Sometimes, there doesn’t even need to be a competitor involved. That’s what happened during the insider trading incident at Amazon. It was discovered that the company’s senior manager from their tax department had allegedly been disclosing confidential financial data to her family members, enabling them to trade on this information. Allegedly, the manager and her family made $1.4 million from these dealings.
This can be devastating, particularly to the victim. To counteract this, enterprises need to establish a healthy company culture of anti-bribery. There are training and workshops available to help enterprises get started.
If the organization is successful, they’ll get loyal and honorable employees, such as the one from the botched ransomware attack on Tesla. Elon Musk himself confirmed that a Russian national had tried to bribe one of the company’s employees with $1 million in exchange for installing ransomware on their servers.
Fortunately, the employee decided to report the incident to Tesla and the authorities, even going so far as to work with the FBI and record their conversation with the attacker in question, leading to the bad actor’s eventual arrest.
Companies need to head off corporate espionage by identifying restricted data when it crosses boundaries. For this, visibility in all of their communication channels is necessary to secure employee interactions and engagement in the cloud workspace. Organizations need solutions that enforce data loss prevention policies and prevent users from intentionally or unintentionally exposing organizational intentdata.
A third-party company, solution, or service provider can also morph into insider threats. This risk is expanded by the fact that at some point, everyone in your company will have access to your data, and that includes your third-party connections.
Case in point: US government workers have been found to leverage the power of LinkedIn to broadcast their high level security clearance, including TS/SCI – a coveted access given only to those who have passed intensive background checks and are privy to some of America’s most sensitive information.
LinkedIn members who have made the potentially-risky decision to publicly display their security clearance level come from a diverse range of backgrounds – from government, to military, to the private sector.
These leaks have been observed to be somewhat intentional, made to help the users gain more credibility and open doors to other high-level jobs. Unsurprisingly, this has exposed them as attractive targets for attackers; many even accept connection requests from complete strangers with no questions asked!
Again, these data leaks can be purely accidental, or are more sinister in nature. In January 2020, for example, a third-party app for guest services that Marriott used was compromised by hackers. They gained access to about 5 million guest records from the hotel giant, which included contact information, birthdays, personal preferences, and loyalty account details.
This isn’t the first time that Marriott has suffered a data breach. The company was also fined £18.4 million for a 2018 breach that affected about 339 million of their guests.
While technically a social engineering attack, “fake” employees and impersonations mimic and can cause the same level of damage as that of other insider threats.
Social engineers focus on the behaviors and patterns of employees who have low-level but initial access, such as a security guard or a receptionist. They then scan social media or LinkedIn profiles for personal information and study their behavior online and in person.
Attackers then make a simple connection request to the target to begin establishing the trusted relationship. The more connections the attacker makes within the organization, the greater the found sense of trust.
(Interesting point here: We’ve experienced these attacks ourselves! Check out this article about a social engineering attempt against one of our own executives.)
At this point, the attacker is in an excellent position to launch the attack by doing either one or both of two things:
Send a malware-laced attachment to the targeted victim, under the pretext of a legitimate purpose, to compromise their host device; or,
Send a link that redirects victims to a bogus website or page that either skims their login credentials, or tricks them into wiring money and currencies to an account that the attackers control.
What organizations need is strong protection against data theft through customizable and out-of-the-box detection policies. Cross-channel event correlation detects sophisticated multi-channel attacks that quasi-insiders use to steal corporate data and drop malicious links and attachments. Policy enforcement rules within the security platform should monitor communication with outside parties to help prevent further losses.
Insider threat prevention can be hard, especially when data on the cloud is available 24/7. Employees that have left the organization could still have access to this data if not properly off-boarded.
Moreover, an external attacker could be masquerading as an employee or administrator to gain access to sensitive systems or data. This could be through phishing attacks or credentials being leaked or cracked.
Some of the basic procedures of insider threat protection are as follows:
Create a list of authorized and onboarded users based on which solutions they have access to. Educate employees on the dos and don’ts when using your tech stack. Then, during off-boarding, make sure to disable the exiting employee’s access and remove them from your list of authorized users.
Multi-factor authentication (MFA) works, for the most part. However, the Lapsus$ APT group has been using MFA fatigue as an attack vector in their playbook. Therefore, companies need to start using hardware or physical security keys to enable MFA more securely.
This means that when selecting a cloud service provider, the organization should ensure that contractual agreements are in place that govern security policies.
Companies, however, need to go beyond in terms of security. A key example is the Brazilian company referenced above. The error could only happen because the company had no capacity to detect sensitive files being sent in WhatsApp. Their security team had no way to see into the application. They had no visibility. They could advise on the best practices on data loss prevention and urge staff to be careful, but they had no system that could actually prevent human error.
Beyond the basic protection, enterprises need an insider threat management software, a cybersecurity solution that bolsters their insider threat prevention and detection program.
- Provide Unified Visibility across the organization’s communication channels. This way, SOC analysts are not “stuck in swivel chair mode,” and they’re not constantly chasing threats across the company’s communications environment.
- Deploy a solution that leverages Cross-Channel Event Correlation. This allows security teams to understand the relations between each communication platform and the risks that come with them. The result is a reduced MTTD – from days and weeks, down to mere minutes.
- Find a platform that utilizes agentless architecture. This portable security layer can be extended to any instance for a no-hassle, agentless onboarding.
- Deploy Data Loss Protection (DLP) responses when sensitive information is disclosed in communications, automatically alerting security operations to protect against further unauthorized use and transmission of confidential information.
- Protect the human attack vector from advanced social engineering and targeted threats across enterprise communication and collaboration platforms.
- Manage day-to-day business communication risk extending beyond email and into enterprise collaboration applications.
- Detect and respond to patterns, context, and intent of communications that indicate early stages of phishing, social engineer, and business communication attacks.
- Prevent malware and ransomware from propagating throughout the business, detects malicious files and links, automatically alerts security operations, and removes the content from the application before the malware is installed or shared with more employees.