Over one in ten data breaches originate from a malicious insider, and they cost companies $4.18 million dollars per incident. And that’s only the malicious ones.
According to the 2023 Insider Threat Report by Cybersecurity Insiders, nearly three-fourths (74%) of organizations are at least moderately vulnerable to insider threats. It’s worth a company’s time to recognize the five main types of these kinds of attacks and know how to prevent them.
- Privileged Insiders | Privileged insiders are a problem because whatever chance they had of causing risk in the first place – whether unintentional or nefarious – is now increased by their level of privilege. It is far more bang for the buck to compromise a root users’ credentials, for example, than that of an average user. More damage can be done, with less oversight, and for longer. In fact, 55% of organizations identify privileged users as their greatest insider risk threat. How do you combat this? Establish access policies and a good Privileged Access Management (PAM) solution, for starters.
- Malicious employees | These are some of the hardest threats to prevent and so take the most sophisticated security methods. Think about it: an insider not only has all the technical know-how of a hacker, but the internal knowledge of the company’s databases and the savvy to know how to lay low. This kind of behavior is skillfully stealthy and crafted to not draw the attention of even a fellow employee.
- Third Parties | As supply chains expand, more and more companies have to deal with the risk of third-party vendors allowing inroads into their organization. Each partner is its own ecosystem with its own architecture, vulnerabilities, and risks. As CISA explained, “third-party threats are typically contractors or vendors who are not formal members of an organization, but who have been granted some level of access to facilities, systems, networks, or people to complete their work.” That access could be exploited by them as easily as someone within your own team, and once assets have been connected, a breach of their systems is a breach of yours.
Vet partners and suppliers for security practices and do your due diligence with supply chain integrity by asking for SBOMs and requiring code signing certificates. Check those your company works with to make sure they hold the same levels of security as your company does and make this a necessary best practice.
- Moles | This type of insider threat works for an outside agent to provide sensitive internal information that will supply a breach. Typically financially motivated, this mole could have had widespread experience or be a first timer. Difficult economic circumstances can lead an otherwise unmotivated and benign employee to consider things they never would have before.
With their elevated knowledge of systems, defenses, and architectures, they secretly feed intel to an outside party – either a cyber gang, nation state threat actor, or other – and facilitate privilege escalations that will lead to the ultimate demise of data and reputation.
- Unwitting employees | This is one of the most common forms of insider risk. Most of the time, employees just want to do their jobs and do so in the best and most sensible way possible. If not clearly defined, that initiative can lead to tool sprawl, shortcuts, and unsafe practices. A host of government research has been done on unintentional insider threats, and the causes are myriad:
- Fatigue or sleepiness
- Subjective mental workload
- Mind wandering
- Situational awareness
- Just plain human error
And can be influenced by a number of psychological factors, such as:
- Personality trait
- Age effects
- Drugs and hormones
- Cultural factors
Essentially, the reasons that lead us to error as humans. While “to error” is human, however, “to remediate” is divine. Security awareness programs are often an undervalued part of maintaining low phishing click rates and tamping down on other risky online behaviors.
Remediation through Technology
AI-driven solutions that can autonomously detect and respond to insider incidents are needed today. Cutting edge options today include data loss prevention tools that can “detect, investigate, and respond” to unauthorized access via email, cloud sharing, or removable storage. Best-in-class tools will also contextualize the data that users are accessing, so even if the behavior itself is funny, you can know if the anomalous patterns are nefarious or just the new intern posting cat videos.
As you look for the best overall solution to fit your particular risk profile, keep in mind that the attack surface is large and every user, partner, and vendor threatens it every time they log in – whether on accident or not. Provide the right training to combat careless errors made in ignorance. Lean on AI-based technology to spot malicious patterns in behavior. Trust a technology solution that provides alerts in context and keeps false positives to a minimum, and keep all this on an ongoing basis: tactics evolve, technologies change, and human error is always with us.
By Katrina Thompson
An ardent believer in personal data privacy and the technology behind it, Katrina Thompson is a freelance writer leaning into encryption, data privacy legislation and the intersection of information technology and human rights. She has written for Bora, Venafi, Tripwire and many other sites.