As we compiled our 3rd quarter cybersecurity summary report, we noticed a trending increase in insider threat.
While around since forever, insider threats are now becoming more frequent, trickier to detect, more damaging, and, ultimately, more costly. Industry statistics and reports on insider threats help us detect those trends and upgrade our security to combat them.
The Threat that Lies Within
And, since we spend so much time, money and energy focusing on our new perimeter-free networks, we can easily overlook the threat that lies within.
The 2020 Insider Threat Report by Cybersecurity Insiders reveals that 68% of organizations feel vulnerable to insider attacks. And they have good reason. Our own trend data supports the recent growth.
Lack of Industry Focus
What confuses me is why we seem to have a dearth of cybersecurity vendors focused on that space.
Attacks on Shopify, Tesla, Amazon and Twitter have resulted in financial loss, disruption and reputational damage in the public markets. So far, these are from ordinary employees who, given their easy access, are testing the boundaries of what’s possible.
These are just several examples of the many insider attacks that harmed organizations financially and reputationally in 2020.
Some cybersecurity experts believe that negligent and malicious employees are the most common actors in insider attacks. In its 2019 Insider Threat Report, Verizon placed careless workers and misuse of assets at the top of their threat actors list. At the same time, they didn’t mention privileged users.
Which are at the top of our lists.
Follow the Breadcrumbs
As usual, the breadcrumbs lead back to poor hygiene.
Privileged users and administrators are particularly threatening since they hold all the keys to the organization’s infrastructure and sensitive data. Because of their high level of access, harmful activity by privileged users is difficult to detect as they don’t break any of today’s cybersecurity rules when accessing sensitive resources.
Less privileged users are not as dangerous, but they still can harm an organization. They can misuse corporate data, install unauthorized applications, send confidential emails to the wrong address, become a victim of a phishing attack, etc., which they do all the time.
Insider threats need not be malicious, intentional or planned.
Beware Double Dipping
Supply chain partners are highly dangerous as vendors, business partners, and temporary contractors may not follow cybersecurity rules and practices implemented in your organization or may violate them unknowingly.
This is a double-dipped cone for attackers, who know that your third-party vendors get by with a low, and often non-existent level of security.
C-level executives have access to the most confidential and sensitive information about an organization, and as we see every day in politics, they can easily abuse their knowledge for insider trading, personal gain, and/or corporate or government espionage.
Steady Increases in Insider Threat
The last 3 quarters, despite rising awareness of insider-related risks and the general improvement of cybersecurity tools and awareness training, we have seen a steady increase in the percentage of insider threats
As Dr. Ian Malcolm (Jeff Goldblum), says in Jurassic Park, “Life finds a way.”
A Ponemon Institute study weighs in on what it considers the reasons we see this increase:
Employee or contractor negligence — Human error is the most widespread type of security incident, and the results of such incidents caused by human error generally cost the least to mitigate. Examples of human error are sending sensitive data to the wrong recipient, misconfiguring an environment, and using unsafe work practices. Detecting and remediating an incident caused by employee or contractor negligence costs an average of $310,000.
Criminal and malicious insiders — Malicious insiders cause much more damage to an organization because they know everything about the cybersecurity measures the organization uses and the sensitive data it protects. Leveraging this knowledge, they may steal or leak data, sabotage production, or provide hackers with access to a company’s resources. Mitigating the consequences of malicious activity costs $760,000 on average.
Credential theft — for hackers, stealing the credentials of a trusted employee is one of the best ways to get inside an organization’s protected perimeter. Using legitimate credentials, hackers can operate undetected inside a system for quite some time. To obtain user logins and passwords, hackers use social engineering, brute forcing, credential stuffing, and other types of attacks. Incidents that involve credential theft are the most expensive to deal with at $870,000 on average.
Adding Up the Costs
The total cost of an insider threat includes three components:
Direct cost — Money needed to detect, mitigate, investigate, and remediate the breach.
Indirect cost — The value of resources and employee time spent dealing with the incident.
Lost opportunity cost — Losses in potential profits because of the attack.
And these costs keep rising by the year.
The long tail danger of insider threats exists because inside actors know exactly where sensitive data is stored and which cybersecurity solutions are implemented. For this reason, some breaches may go undetected for months or even years.
In fact, you are likely infected as you read this.
What to Do?
Conventional, protect and defend solutions are available and most work really well, yet we are happier when these tools are deployed in the context of a Zero Trust architecture.
User behavior analytics establishes a baseline for employee behavior, detects unusual activity, and notifies security personnel if someone behaves unexpectedly. UBA tools are usually based on artificial intelligence or machine learning and help security officers detect and act on the earliest indicators of a threat. They should be a part of your cyber-defense strategy.
Privileged access management functionality helps you prevent insider attacks by providing privileged users with granular access to sensitive resources. The solution must be rigorous, include multi-factor authentication, be driven by a strict rules engine, and be continuous. Initial authentication only must join passwords as a relic of a bygone era.
User training and awareness, while a purely administrative activity, conducted correctly and frequently, actually does increase employees’ awareness of threats. Efficient user training helps to reduce the number of incidents caused by negligence and gives users enough knowledge to recognize and report threats. It addresses the percentage of unintentional breaches by a large number, and it is mostly free.
A Zero Trust architecture, using existing tools and with the addition of a few more, will make the difference between being at the table or on the menu.
Will it stop all breaches?
But what it will do is shrink the excessive trust inherent in your networks, reduce the attack surface, isolate and better protect your crucial assets and make the bad guys’ jobs much harder.
Better than a poke in the eye?