So much time, effort, and resources are spent defending the perimeter-less network from outside attacks that a key risk factor is often overlooked: the insider threat.
According to industry research, the number of incidents relating to insider threats rose 47% between 2018 and 2020. The consequences of these incidents are not insignificant: the Ponemon Institute noted the average cost per incident ranged between $200,000 and three quarters of a million dollars.
In response to the unprecedented rise of insider attacks, September was declared National Insider Threat Awareness Month by several government agencies, and is now in its fourth year. The theme this year is “Critical Thinking for Digital Spaces,” and represents the combined efforts of the Defense Counterintelligence and Security Agency, the National Counterintelligence and Security Center, the National Insider Threat Task Force, the Office of the Under Secretary of Defense for Intelligence and Security, and “insider threat community stakeholders” – lending credence to the fact that insider threats are not to be overlooked.
What motivates an inside attack
While we may group all insider incidents under the same umbrella, motivations can vary widely. Bob Erdman, Director of Development, Threat Intelligence at Fortra, noted that “insider threats are not just malicious, many times they are accidental.” From curious co-workers to disgruntled former employees to admins who are long-gone (and yet still haven’t had their access revoked), there are numerous different scenarios in which someone on the inside of your network could leak data out.
“One of the biggest misconceptions surrounding insider threats is that they occur due to malicious intentions,” Erdman states. "However, while these instances attract the majority of fear and media attention, many insider threats are not intentional and are caused entirely by accident. Users fall victim to malicious phishing or Business Email Compromise (BEC) scams and expose their credentials or other damaging information about the organization.” In the words of John Grancarich, EVP of Strategy at Fortra, “One click – that’s all it takes for an unsuspecting user to be lured down the path of credential theft. And once the first set of credentials has been compromised, the front door of your organization is wide open, and it won't stop there.” Research from the Ponemon institute supports this line of reasoning, as their 2020 Cost of Insider Threats Report revealed that 61% of insider threat incidents are the result of negligent insiders. Most often, it’s not personal.
Sometimes, in-office policy (or lack thereof) can contribute to the potential for risk. As Donnie MacColl, Senior Director of Technical Support at Fortra states, when employees change roles, they tend to accumulate rights rather than rotate them. “Imagine giving a tradesperson a key to your house, but never asking for it back when the job is done! That is what happens when an employee leaves and their access is not fully and immediately removed.” He also notes how the hybrid work model has contributed to policy creep surrounding security and access management; “Outside of the security perimeter of a corporate office, employees are more likely to ‘let their guard down’, whether that is practicing lax cyber hygiene, or carrying out work on home devices.” As networks and workspaces expand, the lack of clearly delineated policies surrounding employee access becomes a formidable liability.
It can also put trade secrets and business-critical information at risk. Tom Huntington, EVP of Technical Solutions at Fortra, asks “When is the greatest threat to the organization's intellectual property? It's when employees move on to the next career opportunity and decide to take a little intelligence with them. It seems harmless enough but certainly puts the incumbent company's property at risk of being shared with a competitor or another outside threat.”
Mismanagement and employee error aside, there are still 39% of insider attacks that are motivated by malicious intent. “Financial motives are always attractive,” MacColl notes, “and now with a poor global financial situation and the rising cost of living, simple acts like handing over a password for monetary gain are becoming more attractive to many people who would have never usually considered it.” That’s why he advocates that anyone with privileged access be considered part of the data lifecycle, “from their first day to their last.” After all, he reasons, “it is far better to prevent than to detect and remediate.”
The tools to keep data where it belongs
“With the new hybrid work model, where a large portion of the workforce is only in the office for a few days a week, the possibility of an accidental insider threat emerging is much greater,” shares MacColl. “This is where automated security tools can help, such as data classification for labelling sensitive information, gateways and endpoints to ensure it isn't shared without authorization, managed file transfer for secure data transmission and digital rights management to secure access on the go, but revoke access if and when needed.”
Data Classification
This technology is essential for establishing the rules on which your data will be protected. Data classification not only sorts data so that high value assets are only sent to authorized recipients, but monitors and reports data access, prevents data from leaving the organization, and identifies where sensitive data resides – you can’t protect what you don’t know you have.
Data Loss Prevention (DLP)
DLP solutions automatically redact sensitive data, or prevent it from being copied or saved to removable media and support compliance with data privacy laws like HIPAA, CCPA, GDPR and SOX. They focus specifically on preventing unauthorized data disclosure before a breach occurs, including protecting against ransomware attacks, supply chain and data breach risks, and accidental data loss.
Endpoint Security
Endpoint security tools protect your network at the edge, preventing malicious insiders from exfiltrating data. Endpoint Protection Platforms allow benign behaviors but block suspicious ones and use real-time analytics to tell the difference. Using endpoint telemetry, you can establish baselines of normal behavior to better spot anomalies among your users.
Integrating the right technologies with the right mindset is key to preventing inside attacks. While we can do our best to know the signs, a true defense-in-depth approach demands best-in-class technologies to support Zero-Trust. As Grancarich sums up, “It turns out that our parents' advice to us as we were growing up is relevant to security as well: an ounce of prevention is worth a pound of cure”
Learn more about protecting your organization against insider threats.
We’ll meet you where you are today and give you the tools you need to meet your security outcomes tomorrow.