Hands typing on keyboard showing insider threats

Defending Your Organization Against Internal Threats

Insider threats are a common problem that companies face when people with ties to the organization misuse their access to sensitive data or systems. Picture a wide range of scenarios, from authorized employees turning rogue to outsiders manipulating someone on the inside. Even accidents like unintentional data leaks due to carelessness can be classified as insider threats.

Not only current and former employees but also non-employees such as contractors, freelancers, partners, and third-party vendors can pose a threat if they have access to an organization’s security systems and data. Gartner’s Go-to-Market for Advanced Insider Threat Detection identifies four types of insiders: Pawns, who act maliciously either unknowingly or under manipulation; Goofs, who are negligent or ignore established security policies; Collaborators, insiders who team up with external parties to cause harm or steal from the organization; and Lone Wolves, individuals who exploit their access for personal gain or vengeance.

But here’s the kicker: insider threats are on the rise. The 2022 Cost of Insider Threats: Global Report by the Ponemon Institute found a 44% jump in insider threat incidents over the past two years, and the cost per incident has shot up by over a third to a staggering $15.38 million. What’s worse, these threats often fly under the radar for months before they’re caught. A 2023 survey showed that a mere 3% of corporate respondents aren’t sweating about insider threats—maybe they should be.

So, what steps can organizations take to defend against internal threats?

Define business-critical assets, set up rules for access and control access

A 2019 survey of IT executives in the US and UK revealed that 74% of breaches involved access to a privileged account. Therefore, organizations need to start by identifying and categorizing all their business-critical assets and defining carefully who needs access to what. Organizations must draw up unambiguous rules and guidelines on access to business-critical assets for IT and systems. Roles and responsibilities of all parties (employees, contractors, associates) must be defined, communicated and rolled out with inter-departmental cooperation across the organization.

Organizations must ensure that their defined business-critical assets are physically and environmentally secure. Physical access should be limited to a select number who need access to carry out their jobs. As far as possible, business-critical assets should be protected from fire, flood or any other natural hazard. Organizations must then aim to reduce the insider attack surface by isolating sensitive system areas and setting up suitable control for access to devices, servers and networks without hindering business operations. Features and functions that invite access but are not necessary should be locked down or removed. Tools include firewalls and multi-factor authentication.

Develop a human firewall

Organizations need to embrace security awareness training as the means to transform all staff into components of an effective human firewall. Security training and awareness begins with defining the security roles and responsibilities for each and every member of the organization. The goal of security awareness training is not just to teach security education necessary to eliminate breaches resulting from ignorance or unintentional or wilful negligence but to instil a culture of constant security vigilance. Developing a positive employee attitude towards cybersecurity resulting in a vigilant and discerning workforce, represents the optimal insurance against internal threats.

Preventing internal threats is also an inter-departmental task necessitating continuous teamwork, especially between Human Resources (HR) and Security. HR and Security need to develop robust security policies for remote working. HR needs to flag ongoing security concerns regarding departing employees (a well-documented source of insider breaches) and employees who appear dissatisfied or unmotivated. Security policies need to be assessed, adapted and enforced with regular audits.

Utilize the best insider threat management tools

A Cyberhaven report states that “one of the best ways to prevent an insider threat is to proactively identify and mitigate insider risks. Data and user monitoring tools can be critical in this phase by revealing how insiders use data in real-world workflows. This can also provide insight.”

The goal of insider threat management data and monitoring software is to facilitate visibility into user’s online actions. The two most common tools deployed to protect an organization’s business-critical assets from internal threats are Data Loss Prevention systems – tracking user access to business-critical data and user behavior analytics – threat monitoring by matching defined rules with user behaviour.

Ideally, an insider threat management tool will identify and categorize business-critical data, monitor all file movements, define all trusted applications, raise an alert and block data export immediately after suspect behavior is flagged. The tool must be able to detect unusual activity such as large-volume downloads, access to specific critical files, after-hours login and account lockout events and to provide a response depending on severity, including isolating a device or disabling a user account.

Look for a tool that deploys AI to differentiate between normal and potential threat user activity to identify preferable access right restrictions. Look for a tool that automatically generates appropriate analysis – a threat intelligence feed accumulates vital data and can set up forensic investigations and establish pre-configured alerts, detection templates and correlation rules.

At the end of the day, organizations must first define exactly what needs to be protected. Secondly, they need to understand how to best educate and motivate a security-proactive workforce and select the appropriate insider threat management tool for their organisation profile. Lastly, always question, audit, redefine security needs, and never relax controls.