David Higgins, Director of Customer Development, EMEA at CyberArk
The trusted insider has always been a security risk – whether an executive with access to sensitive information or an administrator on an enterprise network. But according to a recent report from the Ponemon Institute, in the past two years the insider threat has rocketed for businesses, with the average number of incidents involving employee or contractor negligence having increased by 26 percent, and by 53 percent for criminal and malicious insiders.
Our own research in our annual Global Advanced Threat Landscape Report also revealed that security decision makers aren’t exempt from putting their organisations at risk – with 85% worrying that they might personally introduce a cybersecurity incident into their organisation.
Many are aware of the threat posed by malicious insiders. But, as these figures go to show, it is not only the malicious you need to worry about – don’t underestimate the threats posed by human error and good intentions.
To err is human
The most common problems for businesses include system misconfiguration, poor patch management, using default settings and weak passwords, lost devices, and sending sensitive data to the wrong e-mail address. Some of these problems are the result of the individual’s poor decision or a slip of the mouse. It could be something as simple as clicking “reply all” on an e-mail. Some, however, are the result of poor policy or poor management. System configurations and patch management should be matters of organisational policy and should be periodically assessed.
We will never rid ourselves completely of mistakes but, with 64% of organisations finding that negligence is the root of most incidents, there is vast room for improvement and a definite need. With the damage caused often amplified due to excessive permissions, organisations need to get a firmer grasp on their privileged accounts and remove access where it’s unnecessary. For example, any employee with unconstrained access could, accidentally or maliciously, become a dangerous insider.
The path to poor security is paved with good intentions
Most employees are hard-working and want to do a good job. In fact, many go out of their way to do their jobs efficiently, and that can pose a problem. It is not uncommon for employees to install unauthorised wireless access points to make it easier to connect to the network throughout the office. These points can improve productivity and worker satisfaction but, unknown and unmanaged by administrators, they also create security holes that can be used by attackers to gain access. And it’s not just gaining access, but how. Despite the fact BYOD has now been around for years, many organisations are still grappling to put robust policies and procedures in place to protect themselves.
Workers often see security as a roadblock rather than an enabler. When this happens, they will find ways around policy in order to do their jobs more easily and become insider threats.
The unwitting accomplice
Honest insiders are also targeted by malicious outsiders through the use of social engineering. E-mail phishing (and spear-phishing to target high-value individuals) is still one of the most common types of social engineering, with attackers becoming increasingly sophisticated in their approaches, unwittingly drawing employees in.
Insider threats do not stop with your employees. Contractors, business partners and links across the supply chain – both upstream and down – all present threats that can be used to compromise your network from the inside. One of the key threats we see is attackers actively targeting highly permissioned users, looking for those individuals or accounts which can open the doors to the rest of the organisation and the valuable data held by them. With GDPR coming into force this month, it’s more important than ever that organisations are completely aligned on data protection and the importance of robust cybersecurity practices across the board.
The first line of defense against the well-intentioned insider is awareness and training. All employees should be educated to understand the risks, organisational policies and the reasons for them. With regulation such as GDPR coming into force and customers increasingly aware of the threat posed by cyber attackers, organisations can no longer afford to keep cyber siloed.
At the same time, business leaders need to engage with their security teams to ensure that they have the correct measures in place to protect themselves, shut down attacks and the ability to report back on attacks faced, and the resulting implications for customers or business data.
It’s no longer enough to do one or the other. The only way to defend against both accidental and malicious insiders is to address the threat, not the individual. This starts by locking down unnecessary, unconstrained access for users, which if left unchecked serves to amplify the insider threat. There are a host of reasons behind insider threats, be they accidental or malicious, and organisations must ensure they have the right policies in place to protect themselves as much as possible.