Insider threats are the risks present within the structure of a company. The triggers could be an employee, a business associate, a consultant, or even a supplier who has access to important and sensitive business data. Data that could open the door to an attack of catastrophic proportions.
In fact, according to the Cost of Data Breach Report, 20% of breaches were initially caused by compromised credentials.
- According to the study, business email compromise was responsible for only 4% of breaches, but had the highest average total cost at $5.01 million.
- The second costliest initial attack vector was phishing ($4.65 million), followed by malicious insiders ($4.61 million), social engineering ($4.47 million), and compromised credentials ($4.37 million).
Insider Threats are a significant problem for companies when it comes to security. The most effective weapons against the issue are prevention and training.
Defining an Insider Threat
To categorize the problem, we chose the definition presented by Cybersecurity and Infrastructure Security Agency (CISA):
Insider threat is the potential for an insider to use their authorized access or understanding of an organization to harm that organization. This harm can include malicious, complacent, or unintentional acts that negatively affect the integrity, confidentiality, and availability of the organization, its data, personnel, or facilities. External stakeholders and customers of DHS may find this generic definition better suited and adaptable for their organization’s use.
The agency also presents a categorization of different types of insider threats. They are:
- Negligence – By inattention or malpractice, a person inside the organization exposes the company. Some examples are the loss of devices containing sensitive data or ignoring messages regarding the installation of a new update in the security system.
- Accidental – The unintended error can also happen by accident, creating an unintended risk to the organization. Examples include clicking on a phishing email.
When a person within the organization intends to leak information, cause harm for their own benefit or harm the company. He is the well-known “malicious insider”. Examples include the leakage of sensitive data, sabotage or theft of sensitive information.
Other Threats that can be cited are:
- Collusive Threats – A subset of malicious insider threats, where one or more insiders collaborate with an external threat actor to compromise an organization.
- Third-Party Threats – Additionally, third-party threats are typically contractors or vendors who are not formal members of an organization, but who have been granted some level of access to facilities, systems, networks, or people to complete their work. These threats may be direct or indirect.
We want to make it clear here that insiders are not just employees. These actors can take on countless other roles. Conducting an assessment and mapping all users with potential access to the company's systems is essential. An insider can be:
- A supplier that has an API to the system your company uses
- Former employees who still have access to your systems within the company or privileged information
- Business partners who have access to the company structure or the systems used
How to prevent Insider Threats
The best way to prevent an insider threat is to invest in a corporate culture that values security and data integrity. Creating a culture is not easy and involves everyday actions that are followed by everyone within the organization, from the receptionist to the C-Level.
There is a quote by Stephane Nappo that we really like: “Security culture can achieve more than prohibition posture”. Within the movement to create a corporate culture focused on cybersecurity, there are several actions that can be taken. Below, we list a few:
Structure and document a consistent cybersecurity policy
Having well-structured processes is critical to understanding what security parameters are being pursued and the ideal procedures that everyone should maintain.
This involves structuring and documenting some protocols, such as:
- Data protection regulations
- Best practices for creating passwords
- A cyber attack response plan
- Internal regulation with sanctions for employees with negligent and malicious postures
It is recommended to rely on specialized professionals to prepare this documentation.
Use the principle of least privilege
Restricting server access is also a good alternative to protect information. Employees should have access to basic servers, accessing servers with more important information only when necessary. Using this method, as in the case of phishing, threats can be identified.
Qualified and constant training of employees
Keeping employees trained and on the lookout is critical to ensuring a functional end-to-end cybersecurity strategy. Attacks by criminals are increasingly sophisticated, ranging from viruses disguised as attachments to well-rehearsed phone calls.
Employees need to know the dangers, the risks of attacks, and the correct procedures for acting in a situation of accidental data leak or a phishing situation.
This training can be done by the internal cybersecurity and technology team or delivered automatically by a partner company through short 2-3 minute videos.
Be on the lookout to identify suspicious behavior within the organization
Establishing normal operating parameters and monitoring security systems is important to ensure an efficient policy and ensure that good practices are adhered to within the organization.
The company can configure alerts for critical events or mapped threats. Another option is implementing user behavior analytics (UBA) technologies. Some technical triggers that can be configured are: password changes, malware installation, attempted access to confidential documents, and remote access to company systems, among others.
There are also social behaviors that can be identified by other colleagues, such as professionals who have many conflicts with other employees, professionals with high interest in projects in which they are not involved, or who constantly act outside the lines established by the company.
With well-structured internal regulation and constant monitoring, malicious insiders can be identified and appropriate corrective action taken, which also serves as an educational tool.
It is important that the response to these threats be swift, as any delay in action could cause even greater loss for the company.
The problems your company faces are unique. So your answer should be too. With CyVent you have expert support, cutting-edge software, and access to rigorously selected solutions with 24/7 monitoring.
Book a call: www.cyvent.com/contact-us