In recent years, however, the situation regarding insider incidents has worsened considerably: the number of cases grew by almost 50 percent between 2018 and 2020. And the consequences of such attacks can be very serious. According to estimates by the Ponemon Institute, insider attacks cost companies an average of around 9.67 million euros per year.
While many organizations are becoming increasingly aware of the threat posed by insiders, modern work models make prevention more difficult. Since, due to the experiences of the past few months, many have got used to working in their own four walls or to mobile work, it is unlikely that companies will return to work in the office completely, as was the rule before the pandemic was.
The associated dependency on cloud resources, changed working hours and behavior, as well as a lack of transparency make defense against insider threats – whether malicious or negligent – much more difficult. Forrester estimates that this year a third of all cyberattacks will come from insiders, up from 25 percent at the moment.
With this growing threat, the need for a comprehensive Insider Threat Management (ITM) solution cannot be denied. Now more than ever, companies need to implement comprehensive ITM programs that incorporate tools, technology, processes and, most importantly, people.
Understand insider threats
Classic defense systems in the field of cybersecurity rely on the protection of the perimeter and thus try to shield the company from the outside in. Insider threats, on the other hand, require measures to protect the data, networks and systems in an environment without a perimeter. This requires a different approach with tailor-made tools, strategies and security awareness training. Unfortunately, this has been ignored by not a few people in charge in companies to this day.
To make matters worse, insider threats can come in many forms. From attacks that deliberately attempt to harm an organization to those that are based on negligence. Account takeovers also belong to the “insider threat” category, although the actual trigger in this type of attack is not actually an “insider” at all.
Negligent threats make up the largest proportion of insider threats. They are responsible for almost two thirds of all incidents and occur when a user inadvertently gives an attacker access to data and systems. This can be done by clicking on a dangerous link, misusing a password, or accidentally revealing sensitive information.
Although deliberate threats are less common, they are usually more costly – the average damage is € 637,937 per incident. In comparison, negligent threats with an average damage of 259,232 euros are downright cheap. Deliberate insider threats usually come from employees who are interested in revenge or financial gain.
The third variant of insider threats are compromised user accounts, which cost an average of 735,790 euros per incident. These acts are usually committed by fraudsters or cyber criminals who target user credentials in order to gain illegal access to applications and systems. This variant is the most expensive type of insider threat.
As a general rule, insider threats are difficult to identify and counteract. In the case of negligent insiders in particular, for whom there is no motive for such an action, there are usually only a few warning signs. Malicious attackers, on the other hand, go to great lengths to cover their tracks and not arouse suspicion. If there are also relatively new work models, a heterogeneous workforce and increasing points of attack, the challenge for the cybersecurity teams is obvious.
The hybrid factor
Hybrid environments not only increase the risk of insider threats, but also make them significantly more difficult to detect without a comprehensive ITM program. Although hybrid work models have now become the norm for many organizations, this is still a relatively recent development. Cybersecurity teams are still busy learning about the new telemetry and taking into account users accessing the networks from different locations and devices.
With flexible work models that shape everyday life today, certain threatening situations are much more difficult to detect. Behaviors that were previously perceived as unusual or even suspicious in the analysis may no longer arouse suspicion. In many organizations, the number of access points has also increased significantly, which contributes enormously to an increase in the potential attack surface.
The social and psychological effects of flexible and hybrid work models make things even more difficult. Because outside of the office, users tend to deviate from current procedures, simply because of “convenience”. This can be the case when personal devices are used for business purposes or, conversely, company computers are used for personal purposes, passwords are written down or improper access to systems or data occurs.
What is particularly worrying, however, is that many users are not even aware of the best security best practices to follow when working from home. By the end of 2020, only 36 percent of companies had trained their users in this regard, although 92 percent had switched to working from the home office.
Working outside the office is also often accompanied by certain distractions, ranging from everyday tasks to the comfort of your own four walls. All of this can make users more prone to simple but costly mistakes. And those with bad intentions may feel they can act more freely outside of the corporate atmosphere.
Development of a program for insider threat management
An effective detection and defense of insider threats, including taking into account new working models, may be difficult, but by no means impossible. The solution is a comprehensive ITM program that combines controls, processes and people. This begins with the implementation of processes to monitor insider threats, which take a closer look at suspicious activity.
A people-centric ITM program also requires specialized resources, such as monitoring tools, that are capable of detecting data leakage, privilege abuse, application abuse, unauthorized access, and risky and abnormal behavior. Furthermore, the team responsible for this must be able to develop and implement clear best practice guidelines for hybrid working. These must contain regulations for system and network access, user rights, password hygiene, unauthorized applications, use of private devices, data protection and more.
Another important cornerstone of any comprehensive ITM program is knowledge. The ITM team must have a thorough understanding of the data activities within the organization, i.e. develop knowledge of who is accessing which data – when, why and via which platforms. This contextual knowledge can help identify motives and intentions at an early stage. And that, in turn, is key to properly interpreting warning signs of insider threats.
Employees must also be given the appropriate skills to protect themselves and their own company. The best way to do this is through regular awareness training based on current developments. The training should include multiple choice tests and not just traditional tips on digital security. The aim must be to make everyone involved aware of the importance of individual behavior for the safety of the entire company.
Whether at home, in the office or on the go, all employees need to know the correct behavior and the role they play in the security of their organization. This ensures more security for the company and all employees.