Combating Insider Threats
Insider Threats represents the primary vector for 60% of data breaches, organizations need to examine the threats walking through their door every day with as much thoroughness as they show when securing the perimeter from external threats.
An insider threat is a security risk that originates within the targeted organization. The actor do not have to be current employees or officers within the organization, but could also be a consultant, former employee, business partner, or board member. With insider threats representing the primary vector for 60% of data breaches, organizations need to examine the threats walking through their door every day with as much thoroughness as they show when securing the perimeter from external threats. According to the Ponemon Institute, the average cost of insider caused incidents was $8.76 million in 2017, which was more than twice the $3.86 million global average cost of all breaches during the same year. According to Verizon, there are five main classifications for insider threats. These are:
- The careless worker. These are employees who engage in inappropriate behaviour, much of which fall into the category of "Shadow IT." Shadow IT describes users who procure or use a cloud application, such as a file-sharing app to increase productivity, but inadvertently expose the company. These behaviours can include misappropriating resources, breaking acceptable use and security policies, using unapproved workarounds, and installing unauthorized applications. And while these behaviours tend not to be malicious, they can open up new vulnerabilities within an organization. In combating these types of insider threats, organizations can impose consequences such as fines, demotions, or job termination whenever employees conduct themselves within these behaviours.
- The inside agent. These are individuals who cooperate with a third party, frequently competitors or nation-states, to use their access in a way that intentionally causes harm to the organization. Bad actors will recruit or bribe susceptible insiders to steal information on their behalf. Having proper data loss prevention mechanisms is a good defense in combating this type of malicious insider. Insider-caused incidents, including collusion, are among the costliest categories of a breach and may take four times longer to detect than incidents caused by individual insiders.
- The Disgruntled Employee. These are insiders who try to harm their organization by destroying data or disrupting business activity. This form of insider threat stems from employees who often feel that they have been wronged by the organization and attempt to lash out as an act of revenge. To combat this form of insider threat, having employees sign non-disclosure agreements that explicitly outline the consequences of sharing company secrets to outside parties. This will be somewhat of a deterrent for persons seeking to enact their revenge through data exposure.
- The Malicious Insider. – These are employees are aware of their actions and the negative implications on the organization, yet still, pursue those actions. Malicious insiders are especially dangerous when they have elevated levels of privilege, such as system administrators or database administrators, with a classic example of such being Edward Snowden, who used his access to classified systems to leak information relating to cyber espionage at the NSA. Combating this type of insider threat can be tricky. Still, one recommendation I think could work is to limit a single employee's access to sensitive information as much as possible throughout the organization. No one person should be able to access, view, or modify confidential information without needing a second or third individual for authorization. I believe this method could be useful as a malicious insider would need to justify there reasoning for accessing certain information.
- The Pawn. A pawn is just a regular employee who makes a mistake that a bad actor exploited or otherwise led to data loss or compromise. Whether it's an unwitting employee downloading malware to their workstation or a user disclosing credentials to a third party pretending to be a help desk employee, this vector is one of the broader targets for attackers seeking to cause harm to the organization. The best way to combat this form of insider threat is through ongoing employee security awareness training. A company that partners with employees to ensure security awareness will do better than forces compliance or performs training to check a box.