September is National Insider Threat Awareness Month, which aims to bring to light the serious risks posed by insider threats
We spoke to a range of cybersecurity experts about how organisations can bolster their security and reduce the threat of malicious or negligent insiders.
Over the past 18 months, organisations have faced a wide array of adversities when it comes to their data and IT systems. The pandemic has shifted organisations’ data security needs. With the rising value and volume of digital assets, there’s greater risk of insiders leaking or stealing sensitive data. Indeed, insider threats now make up 22% of all security incidents.
It may not be malicious
Understanding insider threats is one of the key factors in preventing them. “There are a number of misconceptions around insider threat that need to be addressed,” explains Michael Carr, Head of Strategic Development at Six Degrees .“Most organisations think insider threat is purely malicious, caused by disgruntled employees deliberately stealing data or rendering systems unusable. They also feel that they are exempt from insider threat, as either their data isn’t valuable enough or they have sufficient protections in place.”
He adds: “Neither of these beliefs are correct. Insider threat is a risk to most organisations, but unfortunately it is very difficult to prevent if the threat is malicious – the disgruntled employee will most likely already have privileges to systems and data as part of their day-to-day role.”
Steve Moore, Chief Security Strategist at Exabeam, furthers: “Legitimate users performing unwanted or dangerous activity always prove more difficult to detect than typical external threats. Though most insider threats are unintentional and typically occur by accident, the damage they cause can still impact business outcomes and stability.”
In fact, a large number of breaches are entirely unintentional. Don Mowbray, EMEA Lead, Technology & Development at Skillsoft, agrees: “Whilst malicious insiders pose a real and present danger, many insider threats are a result of unintentional mistakes: clicking on a URL which leads to a phishing attack, accidentally sending a confidential email to the wrong sender or leaving a laptop on the train. According to Verizon, some 85 percent of breaches involved a human element last year, and in 2020 alone, government departments reported more than 1000 lost or stolen devices.”
Undoubtedly, the biggest challenge when it comes to insider threats is that organisations can often be powerless against them. “What makes insider threats most threatening is, almost without exception, they have the deck stacked in their favour,” explains Tim Bandos, CISO at Digital Guardian. “By design, insiders – trusted employees, contractors, and business partners – already have privileged access to sensitive material. Without having to engineer an exploit or install malware insiders can operate quietly, under a shroud of secrecy. If there are controls in place on a system, an insider would know and could easily bypass them – assuming they have the appropriate access privileges.”
This sentiment is echoed by Dottie Schindlinger, Executive Director of Diligent Institute: “Despite elevated levels of external risk, an organisation’s greatest or most immediate cyber threat can come from within. Through unintentional missteps, often due to outdated security systems or software versions, company employees are often involved in major data breaches. These usually aren’t intentional but rather the result of a lack of consistently applied good practices that leads to bad outcomes.”
Recognising the magnitude of the problem
Whilst this seems scary, it is important to keep awareness of this risk high and take these threats seriously. “When irregular behaviour is detected, it should be taken seriously as a possible attack,” urges Moore. “Various indicators of insider threats exist, and a crucial step in protecting against them is recognising those signs and establishing a threshold of normal for employees. Unfortunately, most organisations lack the capability to know normal human and device behaviour.”
Jakub Lewandowski, Global Data Governance Officer at Commvault, adds that awareness is crucial to prevention. “As data protection laws very likely change in the following months and years, employees may have increased access to customers’ personal data, and therefore need to be fully informed of any subsequent changes to security policies. A lack of awareness could result in sensitive data being leaked accidentally, for example.”
Can you do anything?
Gary Cheetham, CISO at Content Guru, concludes by highlighting the importance of effective training and education: “An experienced Chief Information Security Officer (CISO) with a well-organised team is key for an effective security strategy, but it is crucial not to overlook the importance of educating the rest of your employees to ensure the insider threat in the organisation is minimised. Often, this threat stems from unknowing, non-malicious employees making simple mistakes. Regular training on cyber security and hygiene using engaging and accessible resources is the best way to minimise this risk.”