While cybersecurity professionals spending much of their time focusing on mitigating external cyber attacks, the problem with insider threats is often overlooked. But insider threats are growing at an accelerated pace, according to a new study by Proofpoint, which states that 31% of global CISOs see insider threats as the perceived biggest risk to their organization in the next one year.
“Just like outside threats, those that stem from the inside have the potential to cause significant damage,” the study said, highlighting that insider threats will continue to get bigger as organizations are set to evolve into a hybrid blend of home and office-based work for most employees. And therefore, it is more important then ever to address the risks that insider threat can pose.
Identifying insider threat
The study classifies insider threats into three types – malicious, negligent, and compromised users – and that all insiders’ threats are not malicious.
When we consider unintentional threats – such as the installation of unauthorized applications or the use of weak or reused passwords – this figure is likely much higher.
With malicious users, you are looking for a timeline of technical activity that includes preparation for exfiltration, data exfiltration, and intentional covering up of tracks. Additionally, these users may display harmful offline motivations such as revenge, anger or frustration to cause harm.
“To identify negligent activities, security teams need to look for indicators of poor hygiene such as storing passwords in text files, leaving databases exposed to the public internet, using unsecured Wi-Fi connections, using unauthorized applications, and actions that are designed to sidestep security restrictions,” said Lucia Milica, Global Resident Chief Information Security Officer at Proofpoint.
Identifying potential cases of compromise means looking for suspicious behavior including activity such as discovering valuable assets, accessing target assets, data exfiltration preparation, and finally evidence that the insider is covering their tracks, she said.
The study also finds that insider threats have risen rapidly in both frequency and costs and most organizations are simply not prepared to deal with this harsh reality as their security practices tend to focus outward instead of inward.
According to a 2020 Ponemon study, the average global cost of insider threats rose by 31% in two years to $11.45 million, and the frequency of incidents spiked by 47% in the same time period. The inability for organizations to manage these threats is evidenced by how long they take to clean up: the average incident took 77 days to contain, up from 73 in 2018.
The longer an incident lingers, the costlier it gets. In this study, incidents that took more than 90 days to contain cost organizations an average of $13.71 million on an annualized basis. The growth of insider threats is driven by a range of issues, including more sophisticated external threats compromising user accounts, a remote and connected workforce, third-party contractors with access to the organization, and limited job tenures.
But it’s also not all malicious: negligent insiders account for 62% of all incidents, costing organizations the most in total per year: an average $4.58 million. Even though criminal insiders dominate the headlines, their frequency was the lowest, at 14% of incidents.
Mitigating insider threats
Stopping all these incidents requires a comprehensive insider threat management solution that can efficiently visualize risky insider activity across applications, systems and sensitive data at all times. An effective insider threat management solution must address people, process and technology.
Many organizations mistakenly focus on data movement alone. However, organizations need visibility into user and file activity at all levels. They need to know the ‘how’ and ‘why’ of a user’s behavior to figure out intent and actions. But it’s not just employees – contractors, third parties, partners throughout the supply chain can expose you to danger if you don’t put sufficient people-centric protections in place.
According to Proofpoint researchers, “Raising security awareness can curtail the negligence that makes up insider threats.”
The report recommends that CISOs establish a set of governance policies informed by legal counsel and communicate those to your employees. They should offer security training programs tailored to each executive level in your organization. These training sessions should occur with some frequency and be refreshed to reflect changes in how insider threats occur.
Defending your data and protecting your organization against insider risk is a team effort. It means working with key stakeholders from other departments to identify potential insiders, including human resources, IT, operations and legal, believes Milica.
The study emphasizes that insider threat management is all about trying to protect your weakest link from compromise. With best practice policies and processes supported by the right technology, organizations can secure their hybrid workplace of tomorrow.