CISOs and other compliance professionals already know that insider threats are a primary cause of cybersecurity breaches. Still, to put numbers behind that point, consider these statistics from a recent Ponemon Institute survey:
- From 2018 to 2020, the number of insider incidents increased by 47 percent;
- The total cost of insider threats has increased from $8.76 million to $11.45 million;
- On average, criminal and malicious insiders cost organizations $755,760 (average) per incident.
Or a more specific example: In 2019, a hacker had gained access to the financial information of more than 100 million Capital One customers. This person was a Capital One vendor. As a result of the breach, Capital One incurred costs of $150 million.
Clearly insider cyber threats are a growing problem for organizations everywhere. To protect your organization, you must incorporate security awareness of various types of insider threats, as well as the strategies to mitigate and contain them.
Common Types of Insider Threats
Insider cyber threats are mainly due to:
- Negligent insiders
- Criminal or malicious insiders
- Credential thieves
And according to the Ponemon survey mentioned earlier:
|Insider Type||Proportion of Incidents||Avg. Cost Per Incident|
|Criminal insiders||23%||$4.08 million|
|Credential theft||14%||$2.79 million|
The difference among these threats mainly comes down to the insider’s goal and the potential harm of a realized threat.
Negligent insiders have no malicious intent, such as revenge or the expectation of financial gain. Almost always, losses or data breaches due to negligent insiders occur simply because the insider didn’t practice good cybersecurity hygiene. Examples include:
- Not logging off from a device at the end of a workday
- Sending emails to the wrong recipient
- Reusing or sharing passwords
- Using default passwords
- Leaving mobile devices unattended
- Discussing company secrets in public places
- Using open or insecure Wi-Fi networks
- Not applying security patches to software
Although these insiders account for fewer cyber incidents than careless insiders, they remain a serious threat to every organization because they can cause more damage. Indeed, they want to cause damage.
These opportunists deliberately plan and do something to disrupt the company’s operations, steal its sensitive information, trade secrets, or intellectual property, or increase its risk of a cyberattack, phishing attempt, or cyber-extortion.
The goal of this insider attack may be to embarrass the company, hurt its reputation, or cause financial damage.
In 2020, 89 percent of hacking attempts into web applications involved credential abuse or theft. Insiders may steal credentials and sell them to threat actors. Such credentials are beneficial for phishers since they can use this information to gain further access to their victim organization.
The compromised insider, while not malicious, can cause severe cybersecurity and data security issues.
Just by clicking on a link or downloading an attachment from a malicious email, they enable cybercriminals to hack into the organization’s network, perpetrate a malware attack, or steal data. Malicious actors can also use compromised machines to move laterally across the network and infect more endpoints to cause further havoc.
In general, there are many types of cybersecurity threats created by insiders who may:
- Exfiltrate the company’s sensitive data after being fired
- Sell company data or devices for financial or personal gain
- Steal trade secrets as part of a corporate espionage effort
- Expose customer information on the dark web for financial gain or to embarrass the firm
- Abuse privileged access for financial gain, such as Bitcoin mining
- Deploy ransomware to lock enterprise systems and disrupt operations
- Accidentally misconfigure access privileges or send emails to the wrong person, leading to data theft, identity theft, or even physical harm to someone
How to Mitigate Insider Threats in Your Business
Here are three proven strategies to guard against insider threats and mitigate their impact.
Monitor the Red Flags that May Indicate Insider Threats
Insider threats often raise red flags when an individual behaves a certain way or takes specific actions. Observe the following behavioral and digital indicators to spot an insider threat, and take action before it leads to disruptions or data losses:
- Working outside scheduled work hours
- Logging in from different locations or devices at different times
- Copying large amounts of information to removable drives or emailing it to non-company email addresses
- Making excessive negative comments about the organization
- Personal problems, such as impending divorce, gambling debts, alcohol addiction, and so forth
- Frequent displays of anger or frustration
To identify insider threats, don’t rely on observation alone. Deploy employee monitoring software, User Behavior Analytics (UBA), and Security Information and Event Management (SIEM) systems to spot insider threats and minimize their harm.
Improve Employee Security Awareness
To minimize the insider threat problem, it’s vital to improve employee security awareness. The awareness program should teach employees:
- How to detect phishing attacks
- How to spot the signs of a ransomware attack
- How social engineering works
- The importance of password hygiene
- The consequences of password-sharing, leaving devices unattended, and using insecure WiFi networks
- Cybersecurity best practices related to access management, email communication, remote work, and Bring Your Own Device (BYOD)
Make Threat Detection an Enterprise-Wide Responsibility
CISOs, IT, security teams, and HR should coordinate to share information and implement security measures to minimize insider threats. They should also collaborate to manage access rights and privileges to assure that only authorized people access enterprise systems and data.
If an employee leaves or changes roles, the two departments should work together to revoke that person’s privileges. Any red-flagged employee (see above) should be placed on a threat watchlist, and his or her behavior should be monitored.
In addition, a dedicated threat hunting team can provide an active approach to detect, identify and mitigate many types of insider threats.
Detect Insider Cyber Threats Faster with ZenGRC
To minimize the (potentially catastrophic) impact of the different types of insider threats, it’s critical to implement robust mitigation strategies like the ones discussed here.
In addition, a comprehensive threat detection platform like ZenGRC should be a vital element of every organization’s cybersecurity infrastructure. ZenGRC can detect insider threats, suspicious behaviors, and lateral movements to provide continuous and effective cybersecurity.