Insiders often pose a bigger threat to organizations than outsiders. Insiders typically have access to some if not all of the applications that the organization uses to store data. They can move and exploit teams from within. Insiders often have knowledge on how to best access or degrade their organization's network or target high-value individuals.
A successful cyber attack launched by an insider can cause critical damage to an organization. Insider threats can be difficult to detect, but security leaders can identify certain areas of the business prone to such risks and focus on bolstering them to protect the company from such attacks.
Basic protection protocols like 2FA and proper employee onboarding can go a long way. However, to properly repel insider threats, companies need sophisticated, AI-driven monitoring.
With the evolution and massive adoption of cloud services, the threat surface for insider threats has rapidly expanded.
The number of insider incidents has increased by 47% in the past few years, with more than 34% of businesses around the globe being affected yearly. Because of this, the cost of these incidents surged from $8.76 million in 2018 to $11.45 million in 2020.
And while careless or negligent employees make for 62% of incidents, costing organizations an average of $307,111 per incident, malicious insiders or credential thieves bear a higher price tag of $871,686 per incident. The cost per incident is also influenced by organization size and operating industry.
One of the biggest risks is that internal data is typically available 24/7, and insider threats can exploit this risk. An unfortunate example was a company known as Code Spaces, which was forced out of business after an insider deleted all of the company’s data and backups.
68% of IT professionals consider their organization to be moderately to extremely vulnerable to an insider threat. That’s because insiders have the best knowledge about how to infiltrate the internal network, especially those with administrative access to sensitive systems.
Insider threat types can broadly be sorted into two categories; intentional or accidental. Beyond these two designations, insiders can take many forms:
A user can inadvertently leak sensitive data using cloud-based communication apps due to lack of training, carelessness, or compromised security. However, this is purely unintentional and most of the time, it gets flagged by security before it gets worse.
For example, a large Brazilian company approached the SafeGuard Cyber team seeking help. They use WhatsApp for their customer communications and, unfortunately, one of their employees had accidentally hit send on a message that contained an entire CSV file full of customer data!
This was purely accidental, and a result of a clipboard error. The file happened to be the last thing the employee had copied before opening WhatsApp. However, the error was embarrassing and potentially costly.
Co-workers that are dismissed or terminated from employment can end up holding a grudge against the company, and decide to take more than their share of memories when they leave.
A disgruntled ex-employee can potentially access sensitive data or systems and cause major damage. Case in point: An ex-Cisco employee gained access to the company’s cloud infrastructure and deleted 456 virtual machines by deploying malicious code. This resulted in:
16,000 Webex Teams users losing access to their account for two weeks
Approximately $1.4 million in employee time spent to audit the infrastructure and fix the damage; and,
A total of $1 million paid in restitution to affected users
Even those who leave the company on good terms can sometimes take sensitive data with them without meaning to. To counteract this, an enterprise needs a proper offboarding process to make sure that leaving employees surrender their access to company tools and any company property they have.
Stealing for the purpose of selling to a competitor is not a new phenomenon. Some employees steal trade secrets, intellectual properties, and more, in exchange for money, or a better position at a different company, or for just plain malice.
Sometimes, there doesn’t even need to be a competitor involved. That’s what happened during the insider trading incident at Amazon. It was discovered that the company’s senior manager from their tax department had allegedly been disclosing confidential financial data to her family members, enabling them to trade on this information. Allegedly, the manager and her family made $1.4 million from these dealings.
This can be devastating, particularly to the victim. To counteract this, enterprises need to establish a healthy company culture of anti-bribery. There are training and workshops available to help enterprises get started.
If the organization is successful, they’ll get loyal and honorable employees, such as the one from the botched ransomware attack on Tesla. Elon Musk himself confirmed that a Russian national had tried to bribe one of the company’s employees with $1 million in exchange for installing ransomware on their servers.
Fortunately, the employee decided to report the incident to Tesla and the authorities, even going so far as to work with the FBI and record their conversation with the attacker in question, leading to the bad actor’s eventual arrest.
A third-party company, solution, or service provider can also morph into insider threats. This risk is expanded by the fact that at some point, everyone in your company will have access to your data, and that includes your third-party connections.
Again, these data leaks can be purely accidental, or are more sinister in nature. In January 2020, for example, a third-party app for guest services that Marriott used was compromised by hackers. They gained access to about 5 million guest records from the hotel giant, which included contact information, birthdays, personal preferences, and loyalty account details.
This isn’t the first time that Marriott has suffered a data breach. The company was also fined £18.4 million for a 2018 breach that affected about 339 million of their guests.
While technically a social engineering attack, “fake” employees and impersonations mimic and can cause the same level of damage as that of other insider threats.
Social engineers focus on the behaviors and patterns of employees who have low-level but initial access, such as a security guard or a receptionist. They then scan social media or LinkedIn profiles for personal information and study their behavior online and in person.
Attackers then make a simple connection request to the target to begin establishing the trusted relationship. The more connections the attacker makes within the organization, the greater the found sense of trust.
At this point, the attacker is in an excellent position to launch the attack by doing either one or both of two things:
Send a malware-laced attachment to the targeted victim, under the pretext of a legitimate purpose, to compromise their host device; or,
Send a link that redirects victims to a bogus website or page that either skims their login credentials, or tricks them into wiring money and currencies to an account that the attackers control.
You can defend against these types of attacks in the same way you would an insider threat with Two-Factor Authentication (2FA), authorized user lists, and setting rules about what can and can’t be shared on certain channels.
Insider threat prevention can be hard, especially when data on the cloud is available 24/7. Employees that have left the organization could still have access to this data if not properly off-boarded.
Moreover, an external attacker could be masquerading as an employee or administrator to gain access to sensitive systems or data. This could be through phishing attacks or credentials being leaked or cracked.
Some of the basic procedures of insider threat protection are as follows:
Create a list of authorized and onboarded users based on which solutions they have access to. Educate employees on the dos and don’ts when using your tech stack. Then, during off-boarding, make sure to disable the exiting employee’s access and remove them from your list of authorized users.
Activating 2FA successfully blocks 99.9% of automated attacks. This means that the more the employees exercise using 2FA on their business tools, the safer they will be.
This means that when selecting a cloud service provider, the organization should ensure that contractual agreements are in place that govern security policies
Companies, however, need to go beyond in terms of security. A key example is the Brazilian company referenced above. The error could only happen because the company had no capacity to detect sensitive files being sent in WhatsApp. Their security team had no way to see into the application. They had no visibility. They could advise on the best practices on data loss prevention and urge staff to be careful, but they had no system that could actually prevent human error.
Beyond the basic protection, enterprises need an insider threat management software, a cybersecurity solution that bolsters their insider threat prevention and detection program.
Secure the business by protecting the human attack vector from advanced social engineering and targeted threats across enterprise communication and collaboration platforms.
Manage day-to-day business communication risk extending beyond email and into enterprise collaboration applications.
Detect and respond to patterns, context and intent of communications that indicate early stages of phishing, social engineer, and business communication attacks.
Prevents malware and ransomware from propagating throughout the business, detects malicious files and links, automatically alerts security operations, and removes the content from the application before the malware is installed or shared with more employees
Deploys Data Loss Protection (DLP) responses when sensitive information is disclosed in communications, automatically alerting security operations to protect against further unauthorized use and transmission of confidential information.