Insider threats have always posed a problem for organizations, but the past few years have seen a significant uptick in cyberattacks caused by insiders.
Several factors have fueled the uptick, including the transition to remote work, in which employees may use unsafe personal devices and connections to access corporate resources. Other factors include the prevalence of USB devices and ubiquitous cloud usage. These factors combined make insider threat prevention harder than ever.
“There was always a relatively clear relationship between anomalous activity and something that was worth an organization investigating well,” said Dan Costa, technical manager for enterprise threat and vulnerability management at the CERT National Insider Threat Center. “What happens when everybody's normal [activity] changes at the exact same time? Everything starts to look anomalous.”
That shift has made traditional insider threat management less effective. It also resulted in a surge of insider-associated attacks. Incidents involving insider threats increased by 47% between 2018 and 2020, and 57% of organizations say insider incidents have become more frequent over the past 12 months, according to a Cybersecurity Insiders report. A new report from Proofpoint and the Ponemon Institute found that insider threats cost organizations about $15.4 million annually, up 44% from 2020.
What Is an Insider Threat?
In general, there are three types of insider threats. The first is the malicious insider. These are employees with an axe to grind. They may have been passed over for a promotion, in financial straits, have a difference in beliefs, or feel a sense of entitlement, among many other motivations. A malicious insider may use their privileged access to corrupt data, damage infrastructure, or steal money or intellectual property.
Costa attributes much of the increase in malicious insider threats to remote work, which disconnects employees from employers. Companies with higher levels of employee engagement typically result in fewer incidents of malicious insiders.
Malicious insider attacks tend to be the most difficult to identity and stop. Last year was a banner year for these types of attacks. In April, an executive at cybersecurity company Proofpoint used a USB drive to steal sensitive information and sent it to a Proofpoint competitor. In October, a Pfizer employee uploaded thousands of confidential documents on drug development and trade secrets to a personal Google Drive account on her corporate laptop. In that case, monitoring software detected the breach.
The second type of insider threat is caused by an employee behaving carelessly or with a lack of knowledge. Research firm Gartner found that employee carelessness was the second-most common cause for data breaches. In other cases, employees accidentally email data outside the organization, where it is exposed. They can also load data onto a USB drive or print data, then leave it around exposed to theft. Other kinds of unintentional breaches can come from clicking on phishing emails, failing to follow security policies, and mishandling passwords. About 22% of organizations have experienced issues with malware downloaded on employees’ unmanaged devices with access to corporate resources, according to a report by Cybersecurity Insiders and Bitglass.
The third type of insider threat is the most insidious: unwitting insiders who are taken advantage of by external hackers. In this scenario, a hacker steals an employee’s credentials to access the corporate network. One famous example is a 2020 Twitter hack where hackers stole Twitter employee credentials, then used them to impersonate public figures and launch a crypto scam. The crypto scam resulted in a more than $100,000 payday before it was shut down. In other cases, hackers have actively attempted to recruit insiders with authorized access to critical assets.
How To Improve Insider Threat Prevention
The first step to dealing with insider threats is to create a full-fledged insider threat program. Doing so requires “putting the program back into program,” said Shawn Thompson, founder and president of the Insider Threat Training Academy and Insider Threat Management Group. In other words, developing an insider threat program has been a best practice for years but companies typically haven’t given it the gravitas it deserves.
“Often, the definition of a program has been to buy tools, but it really requires a more comprehensive and cross-functional approach,” Thompson said. That means developing the proper governance structure that includes the CISO, representatives from business units, HR, and legal. Then it’s time to develop an effective insider threat prevention strategy based on what is important to the business. In some cases, that’s intellectual property. In others, it's more about financial reports and contracts.
Joseph Blankenship, a vice president and research director at Forrester, developed an approach based on just these types of issues. Last on the list is to implement security technology, and that’s on purpose. Processes and strategy are more important.
“It’s about understanding what you’re trying to do and looking at it from a programmatic perspective to get your arms around it,” Blankenship explained. “You have to know what’s important to your company and have fully identified who users are and the kind of access they have, and what controls current exist to protect assets.” Only then can you define policies and choose the right tools.
Implementing the right tools and incorporating effective analytics is the next step. Some of the most effective insider threat prevention tools include the following:
- user entity behavior analytics to detect unusual activity;
- privileged access management to provide privileged users with granular access to sensitive resources;
- multifactor authentication to verify legitimate users;
- endpoint monitoring and detection tools to monitor device behavior; and
- data loss prevention to stop data exfiltration.
Any or all these tools can be used with a security information and event management (SIEM) or security orchestration, automation, and response (SOAR) platform. Together, they can help organizations coordinate and analyze information.
These measures should be done with zero trust in mind. Zero trust enforces the concept that all users, devices, applications, and other entities can’t be trusted without verification and authorization each time they try to access resources.
A Fine Line Between Security and Big Brother
While these tools are important to a comprehensive insider threat prevention strategy, a little can go a long way. It’s easy to create a “big brother” culture, but that’s definitely not the goal. Excessive employee security policies can create a hostile work environment, demoralize employees, turn employees against their employers, and destroy corporate culture. Eventually, these policies may affect a company’s reputation, making it hard to recruit employees.
“There’s a potential that it could either ruin … employee experience to the point that [people] don't want to work there anymore or aggravate them to the point that they want to do something to get back at the company,” Blankenship said.
Thompson said that employees tend to accept a certain level of monitoring these days. For example, it may be acceptable to monitor how much time a user spends on a device. However, monitoring employees’ movements may cross a line for many.
Another way to stem malicious insider attacks is to actively connect struggling employees with resources designed to support them. Resources might include e-assistance programs for employees exhibiting financial stressors. “If you can have honest conversations with employees about how to improve their situation or reduce stress or conflicts, it can make a big difference,” Costa said.
Finally, consider hiring or designating someone to focus on insider threat prevention at the company, Thompson said. The idea first surfaced in 2011 with an Obama administration executive order that directed agencies to formalize insider threat programs. The idea has since taken hold. Some employees in this role are vice-president level while others are at the mid-manager level, but the result is the same: a laser focus on insider threats.
Karen D. Schwartz is a technology and business writer with more than 20 years of experience. She has written on a broad range of technology topics for publications including CIO, InformationWeek, GCN, FCW, FedTech, BizTech, eWeek and Government Executive.