There have been so many stories in the mainstream media about the mounting cyber security risks facing organizations that many people assume that the lion’s share of those risks must be coming from malicious external hackers. It doesn’t help matters that many of these articles on cyber threats are accompanied by a standard stock photo of a hacker in a hoodie, as if to signify that the main threat facing organizations is shadowy and external in nature. Yet, mounting evidence suggests that the real threats are the insider threats already present within your organization.
A new study on insider threats
In fact, a new report from NTT Security suggests that as many as 75 percent of all cyber security threats may be internal in nature. Only 25 percent of threats are from what the researchers deem to be “hostile” sources. Yes, that’s right, the “real” cyber threats for organizations today are insider threats, which can put organizations at risk without employees even realizing it.
The definition of “insider threat” is any threat that originates from workers within the organization as a result of malice, accident or negligence. Thus, workers may intentionally or unintentionally be putting their organizations at risk of a data breach or loss of intellectual property.
Example of malicious insider threats include disgruntled employees sharing sensitive corporate data with competitors or rogue employees gaining access to information for personal gain. These attacks motivated by malicious intent are often the subject of media reports, primarily because these insider attacks are often so sensational or scandalous in nature. In Hollywood movies, these malicious insiders are portrayed as scheming corporate executives, performing all their secret file stealing late at night, when they think that everyone else has left the building.
The “real” insider threats
However, according to the new report from NTT Security (“2017 Global Threat Intelligence Center Quarterly Threat Intelligence Report”), far more prevalent are accidental and negligent activities that unwittingly lead to security breaches, data loss and sensitive information being shared with the wrong people.
Examples of accidental insider threats include employees accidentally including sensitive information in a group email sent out to the wrong people, or opening a phishing email that then exposes a company’s internal systems to further attack. Examples of negligent activities include using easy-to-guess passwords and login credentials; failing to apply important security patches to software; and downloading unauthorized software that leads to virus infections.
In the context of cyber security, the “real” insider threats are exactly these negligent activities that are neither malicious nor accidental. As NTT Security points out, these real insider threats can sometimes lead to damages measured in the tens of millions of dollars.
And, most disturbingly, the scale of these attacks appears to be increasing over time. For example from Q2 2017 to Q3 2017, the number of insider threats increased by 24 percent. The greatest culprit were phishing scams and malware attacks, both of which saw a 40 percent increase from Q2 2017 to Q3 2017.
Three common insider threats and how to prevent them
Given this spike in attacks due to insider sources, what can organizations do to protect themselves, especially in terms of new security measures and new security practices? Security experts generally put a huge premium on educating staff about data protection, data privacy and learning how to recognize popular scams. Here are three categories of negligent users and what can be done to counter them:
Users that bypass controls for convenience or efficiency: Examples of this problem include employees who use cloud storage solutions for sensitive corporate data instead of official corporate data storage solutions. These examples can also include the sharing of user accounts. In both cases, employees think that they have discovered a clever “workaround” that makes their daily life easier. What’s needed here is stronger network-level controls to ensure this behavior doesn’t happen in the first place.
Users that bring their own devices and connect to the corporate network: In the BYOD era, employees are increasingly emboldened to connect each and every mobile device they use to the main corporate network. But this is fraught with peril, since these devices usually have little, if no, control over data security. Often, default security options have been turned off, so employees do not even know that they are running a security risk. The solution here is stronger enforcement of BYOD policies. Employees have to know upfront which devices can be connected to the network, and which cannot.
Users that get phished: It’s all too common that employees get an email from an authoritative-looking source, and assume it’s OK to open. But employees need to be educated about these scams and how they work, and that usually involves realistic user training. In addition, organizations can contact their security vendors for anti-phishing solutions. These solutions for email can often block or filter any emails known to originate from a potentially malicious source.
New thinking about the risks posed by insider threats
The good news is that organizations are getting smarter about information security and insider threats, including those related to the physical security of office environments. And knowledge that once resided only with the CSO or CISO is now being pushed out to the broader organization, thanks to advanced employee training programs. For example, Carnegie Mellon University now offers a Cert Insider Threat Program Manager Certificate. It also runs an Insider Threat blog that explains some of the current threats and trends in the workforce, based on research conducted at the National Insider Threat Center (NITC) that is part of the university’s Software Engineering Institute.
At the end of the day, this new research from NTT Security and the educational programs from universities should help organizations realize the scope of the cyber security problem they are facing today and understand the damage caused by insider attacks. Today, they are not just dealing with shadowy external enemies – they are also dealing with employees who mistakenly assume they are taking perfectly reasonable steps in how they use corporate IT resources. The problem, quite frankly, is that many of these steps are highly negligent and expose the organization to risk. It’s time for organizations to take these real insider threats seriously.