By Adenike Cosgrove, Cyber Security Strategist, International at Proofpoint.
Cybersecurity professionals spend much of our time focusing on keeping threats out. And with good reason. From business email compromise attacks (BEC) to malware there are a host of threats that, once inside our defences, can do significant damage. However, not all attacks are perpetrated by outside forces. Sometimes, the threats are coming from inside the house.
These insider threats are increasingly common. According to a new study from ObserveIT, a Proofpoint company, with Ponemon institute and IBM, the frequency of insider threats has risen by 47% in only two years and insider threats cost organisations 31% more than they did in 2018.
Just like outside threats, those that stem from the inside have the potential to cause significant damage.
Not all insider threats are malicious, however. When we consider unintentional threats – such as the installation of unauthorised applications or the use of weak or reused passwords– this figure is likely much higher.
Whether-due to human error or malicious intent, threats from within are notoriously difficult to defend against. Not only is the ‘attacker’ already within your defences, but in the case of malicious insiders, they may be able to use privileged access and information to actively avoid detection.
Understanding insider threats
When constructing a defence against insider threats, it’s easy to make the case for the old cybersecurity adage: trust no one.
However, this approach is not practical nor conducive to the flow of information required to run a modern-day business.
Fortunately, there are several less drastic steps that can be taken to detect insider threats – or better still, to stop them before they take root.
The first step is to understand exactly what drives an insider to pose a threat to your organisation. Motivating factors can generally be grouped into three categories:
- Unintentional: From installing unauthorised applications to misplacing equipment or reusing passwords, careless employees can pose a serious threat to your organisation.
- Emotionally motivated: Threats of this nature are posed by employees with a personal vendetta against your organisation. Emotionally motivated malicious insiders may seek to cause damage to your reputation by leaking privileged information or disrupt internal systems for maximum inconvenience.
- Financially motivated:There are many ways to profit from privileged access, be it through the leaking of sensitive data, selling access to internal networks or disrupting internal systems in an attempt to affect company share price.
Whatever the intent behind them, insider threats can occur at any level of your organisation. With that said, actions that take place lower down the business hierarchy may be harder to detect.
While privileged users are usually closely monitored, some employees further down the line sit in an unfortunate sweet spot – with access to sensitive data required to do their jobs and minimal account monitoring or supervision.
Lower-level employees may also be less invested in or knowledgeable about good security practice and therefore pose an unintentional threat. In the case of malicious threats, these employees could have greater cause to be disenfranchised or more tempted by financial incentives offered to access sensitive systems and leak data.
How to spot the warning signs
External attacks are usually detected within hours or even minutes. Insider threats, however, often lay undetected for long periods.
Just 10% of cases are discovered within days of a breach while 40% remain undiscovered for up to five years.
Spotting the potential for an insider threat before an incident occurs is extremely valuable. This is by no means an exact science, but there are certain behaviours to look out for.
When it comes to unintentional threats, be on the lookout for slack security practices such as writing down passwords, installing unauthorised applications or otherwise circumventing security for greater convenience.
Unfortunately, spotting the potential for a malicious threat is more of a challenge, as perpetrators will usually try to cover their tracks.
Be vigilant for any unusual attempts to access internal systems, particularly without a valid reason or if it is outside the job scope of the employee. Apply the same scrutiny to employees who suddenly begin working unusual hours without reason.
These behaviours should be particularly alarming when displayed by a disgruntled employee or one that may be exploitable for any reason.
Defence in depth
Detecting and protecting against insider threats requires a broad and robust defence. A comprehensive combination of tools, policies and education.
Employees should be regularly trained on how to ensure they do not cause an unintentional threat to your organisation – covering topics such as password reuse, phishing and BEC. Beyond this, educate employees on how to spot unusual behaviour among colleagues and on the consequences of perpetrating or facilitating a malicious threat.
Ensure you have tools in place to monitor users’ network activity – flagging up repeat or unusual requests for system access to spot potential privilege misuse. Limit the printing and copying of sensitive data and only allow access to ‘need-to-know’ information with a legitimate and documented reason.
Finally, implement and police policies regarding the use of email, acceptable use, external storage devices and BYOD. These policies must be agreed to by anyone with access to your systems – employees, vendors, contractors and any other third party.
Ultimately, while fending off insider threats can be challenging, it is not impossible. But transparency and vigilance are key.
It’s vital that you know who has access to your data, and that you understand why and how they are accessing it. The greater your understanding, the easier it is to spot irregularities or changes in behaviour – and the faster you can nullify potential insider threats.