It’s beyond time to ask an uncomfortable question: are your employees your biggest defense or greatest vulnerability against insider threats? How well you defend your data depends on getting this question right.
In a time when cybersecurity threats seem to multiply daily, the old saying made famous by Nirvana is an appropriate anthem: “Just because you’re paranoid doesn’t mean they’re not out to get you.” And while external threats are present and dangerous, insider threats are both common and easy to miss. While management tends to blindly think that your employees are loyal and trustworthy, no organization is immune. It can happen to you. And so the question stands: are your employees your best defense or biggest weakness in the fight against insider threats?
How big of a problem are insider threats, really?
Statistics about insider threats have a way of shattering our rosy-colored glasses about employee loyalty. A whopping 94% of organizations experienced an insider breach in the last 12 months. Of those, human error caused the vast majority of breaches (84%). But fully 66% of those that weren’t caused by error originated from a malicious leak. That’s especially concerning since only 28% of IT pros reported being most concerned about “intentionally malicious behavior” as the type of behavior to cause an insider breach. And somewhat surprisingly, 23% of employees surveyed think it’s perfectly within their rights to take company data with them to a new job.
A high-profile case last year showed just how dramatic the consequences of stolen data can be. Two former GE employees came out with prison time and a 1.4 million fine for starting a company based on trade secrets. Guess where those came from? They stealthily downloaded them at work.
True, it’s a dramatic example. Most insider breaches aren’t on such a large scale. But as IT leadership, we hope for the best, but prepare for the worst.
Know your enemy: Who are inside actors?
The first step is knowing who poses a threat. To be an insider threat, your users need either internal or remote access to bypass the system’s firewall or other network defense. These insiders can be business partners, contractors, vendors, or naturally, employees. They can even be people outside the company who somehow gain access to the premises. Anyone who has access to the network from inside can sabotage your security, misconfigure the system to allow data leaks, or commit IP theft or fraud.
Common devices can also pose a threat when in the wrong hands. For example, most systems don’t detect USB sticks or Bluetooth transmitters on insertion. This illustrates an important point: there is no one security solution that protects from every type of insider threat. And a second: insider threats are difficult to prevent without first knowing how to recognize motivations or patterns of potential attackers.
What motivates insiders to act?
What drives the motivations behind an insider threat? The precise answer depends on your organization’s industry, size and the reach of your IT infrastructure. Even so, a few motivators appear time and again across industries and company sizes. Here are a few of the most common reasons an employee might turn into an insider threat.
#1 Error
Responsible for the vast majority of insider threats, most inside actors have no malicious intent. Maybe they are careless, and don’t follow security protocols. Or, they might be totally ignorant that their actions could compromise security (we see this most often in non-technical roles).
#2 Confusion about who is responsible for data security
IT leaders know it can be a challenge to impress on users the important role they play in data security. And, some users need more convincing than others. The C-suite is infamous for avoiding security protocols and flouting rules. IT leaders will have a hard time protecting against insider threats unless executives lead by example, and all employees take ownership of data security.
#3 Malicious intent
A malicious insider usually has one goal: to gain from exploiting or sharing company data. They may be a disgruntled employee who got fired, passed over for a promotion, or is angry because a manager took credit for their work. Sometimes, the employee could simply have a grudge against the company or person responsible for data security. Not all IT personnel are winsome and friendly, as much as we’d like to think they are.
#4 Conscientious Objection
Organizations in industries like defense, intelligence or critical infrastructure also have to deal with further risks. The employee you trust with sensitive information might actually be a spy working for a rival organization. And whistleblowers – whether of conscience or not – could share sensitive information with regulatory bodies or even with the public. Think of Snowden, who, although a whistleblower of conscience, did share data he gathered as an insider with access to highly-protected U.S. government systems.
What are the tell-tale risk factors
In addition to motives, there are a few risk factors that can alert a watchful observer of a potential risk.
#1 User Behavior
IT administrators who monitor employee access can easily spot who logs in at unusual times or from unusual locations. Does your employee normally log into their laptop on their day off? Or why are they logging in from an IP address that traces back to your competitor’s headquarters? Other common warning signs can also be employees who access applications or systems for the first time, employees who start copying large amounts of information, or employees who badge into work at unusual times (they think they’ll get away with taking documents out of the office at 11 p.m. when no one is there).
#2 Level of Access
Who in your organization as the highest level of access? If you’re like most organizations, it’s likely your IT administrators. That full control also carries risk – especially if one of them feels undervalued and plans to leave. On their last day, let’s say the IT administrator knowingly installs several unlicensed copies of Microsoft Office. As a parting gift to themselves, they turn whistleblower and inform an organization like the BSA | The Software Alliance. They walk away with a nice little percentage of the hefty penalty your company receives for licensing infringement. For smaller organizations, such an insider threat can spell bankruptcy.
#3 Remote Work
As hybrid or fully remote teams go mainstream, insider threats increasingly originate from outside the network. Unless all devices on and off-premises have the same security software and protocols in place, it’s easier for hackers to gain access to devices off-site. If your employees use their own device, it’s even harder to ensure security. And what if the device gets lost or stolen? Can you remote wipe all devices? Remote working combined with careless user behavior can also give outsiders inside access. Imagine this scenario at the neighborhood coffee shop: your remote employee settles in for a few hours. Instead of packing up their whole setup to take a bathroom break, they ask the person at the next table to “keep an eye out.” Your employee is gone less than five minutes, but it’s enough time for the friendly neighbor to see valuable information on the screen, take a photo, and tuck it away for later. Any picture of a text document is just as valuable to hackers as the file itself.
Prepare for insider threats before they happen
Sure, it’s not always easy to identify an insider threat persona or risk factor. But if IT administrators aren’t on the alert, the company pays a price. Data loss, security breaches, service outages or even legislative penalties costs can sink an otherwise successful company. And reputational damage can take years to rebuild, if you can.
So, we’d like to answer the question from the beginning with another question. In a world where insider threats are increasingly prevalent, what security measures can secure your network from attack – whether your employees are a vulnerability or not? Whether it’s choosing the right type of multi-factor authentication or another security measure, focus on securing your network from insider risks and you’re already a step ahead on preventing insider attacks.
