Why every organization should be concerned about insider risk cybersecurity and what we can do about it
The importance of securing an organization against cyber threats has never been more critical. However, one prevalent but often overlooked vulnerability lies not with faceless external hacktivists and nation-state bad actors but within our colleagues and teams.
This insider risk is a growing concern for cybersecurity professionals, as it has the potential to cause significant harm to an organization’s infrastructure and reputation.
Why Should Insider Risk be a Concern?
Insider threats can originate from employees, contractors, or any individual who has legitimate access to an organization’s systems and data. They can be intentional, driven by malicious intent, or unintentional, often resulting from negligence, ignorance, or error.
For instance, consider the 2013 data breach at retail giant Target, resulting from the compromised network credentials of a third-party contractor. The breach led to the theft of credit/debit card information of around 40 million customers, causing immense reputational damage and financial loss.
Similarly, consider the case of Anthony Levandowski, a former Waymo engineer who transferred intellectual property, including 14,000 confidential and proprietary design files relating to Waymo’s self-driving car technology, before resigning to start his own competing company.
These instances, and many more, heavily underscore the potential severity of insider cybersecurity threats, and insider risk cybersecurity needs to be a top concern for businesses for several critical reasons:
- Access to Sensitive Information: Insiders, whether they are employees, contractors, or partners, have authorized access to an organization’s sensitive information, which can include intellectual property, financial data, and personal data of customers. This access provides them with the potential to cause significant damage if misused.
- Ease of Evasion: Traditional security measures often focus on keeping threats out, meaning insiders can easily bypass these defenses. Their actions might also be more difficult to detect because they’re operating from within the system, allowing them to potentially evade security measures designed to identify suspicious external activity.
- Potential for Significant Damage: The harm caused by insider threats can be extensive. Insiders can steal valuable intellectual property, compromise customer data, sabotage systems, or carry out actions that harm the organization’s reputation. Growing Incidence of Insider Threats: The frequency of insider threats is increasing. According to the 2020 Insider Threat Report from Cybersecurity Insiders, 68% of organizations reported feeling vulnerable to insider attacks.
- Unintentional Insider Threats: Not all insider threats are malicious. Employees may accidentally cause security breaches by falling for phishing scams, mishandling data, using weak passwords, or failing to follow security protocols.
These concerns highlight why insider risk management should be integral to an organization’s overall cybersecurity strategy, and one for which it is important to make the c-Suite and those who hold the organization’s purse strings see the value.
Cybersecurity Risk Factors and Types of Insider Risk
Understanding the factors contributing to insider risk in its various forms can help organizations develop effective countermeasures.
- Human Error: This includes actions such as accidentally emailing sensitive data to the wrong person or failing to secure personal devices used for work. The relatively recent rise in remote and hybrid working has introduced a sharp spike in the need for the supervision of unmanaged (BYOD) devices, remote access cybersecurity, cloud protection, and for identity and access management.
- Malicious Insiders: These individuals deliberately abuse their access to steal data or sabotage systems. Various motives, including financial gain, disgruntlement, or coercion by external parties, may drive them.
- Third-Party Risk: Partners, suppliers, or contractors can pose an insider risk if their access to your systems is not adequately controlled and monitored. This can be particularly true during mergers, acquisitions, and divestitures.
- Credential Theft: While technically an external attack, credential theft becomes an insider threat once the attacker uses stolen credentials to gain authorized access to systems – making it critical to protect service accounts and cloud workloads.
Several dominant factors contribute to insider risk cybersecurity vulnerability within any organization. Organizations can significantly mitigate insider risk and enhance their overall security posture by addressing these contributing factors:
- Privilege Creep: You may be the resident ICS/OT security specialist, but do you really need access to that whole folder of confidential reports on the network? Over time, employees may accumulate network access and permissions beyond what’s necessary for their role. This “privilege creep” can enhance insider risk if these excessive privileges are misused or compromised.
- Poor Security Culture: Employees might neglect best practices if a company doesn’t prioritize cybersecurity or cultivate a strong security culture, leading to increased insider risks.
- Lack of User Education and Training: Employees might not be aware of the potential cybersecurity risks or know how to identify and respond to them. Without proper training, they may unknowingly engage in risky behaviors.
- Weak Access Controls: Without robust control over who can access what data, sensitive information may be exposed to employees who don’t need it to perform their duties, increasing the risk of misuse.
- Insufficient Monitoring: If an organization isn’t effectively monitoring user behavior and network activity, it may not detect suspicious activities until it’s too late. Employee Dissatisfaction or Disgruntlement: Disgruntled employees can pose a significant insider threat, as they may feel incentivized to harm the company.
- Third-Party Access: Contractors, vendors, and business partners often need access to a company’s network, potentially introducing additional risk if their access isn’t carefully managed and monitored.
- Bring Your Own Device (BYOD) Policies: While BYOD policies can offer benefits, they can also increase insider risk, as personal devices may not be as secure as company-managed devices, and controlling data flows can be more challenging.
Mitigating the Insider Risk
Effectively managing insider risk involves a multi-faceted approach:
- Create Awareness: Regular training can help employees understand the potential consequences of careless or risky behavior. There may be reticence from colleagues to adopt a zero trust model, and it is important that cybersecurity teams highlight the additional business value to smooth the path to adoption.
- Implement Robust Access Control: Adhere to the principle of least privilege, ensuring individuals only have access to the information necessary to perform their job functions. It is important to consider the advantages of microsegmentation vs. network segmentation, and to select the right approach accordingly.
- Continuous Monitoring: Implement systems to detect abnormal activity or anomalies that could indicate insider threats. For instance, a user downloading large amounts of data could be a red flag.
- Incident Response Plan: Have a plan in place to respond to potential insider threats. This plan should include steps to mitigate damage, investigate the incident, and escalate it to law enforcement if necessary.
As the lines between internal and external network perimeters continue to blur, it’s clear that an inside-out approach to cybersecurity is required. While we cannot eliminate insider risk entirely, understanding its forms and implementing robust control measures can significantly mitigate its potential impact on our organizations.