The Cost of Insider Threats Report by IBM indicates that the overall damage by negligent or malicious employees totals $11.45 million. Whereas intentional insider criminals cause only 14% of the accidents, their damage adds up to $4.08 million—almost a third of the whole sum.
An insider threat is a vulnerability coming from within the organization, as opposed to attacks performed outside the security perimeter. It is usually associated with careless or malevolent employees, yet the culpable actor can be a former worker, business partner, contractor, or board member. The main condition is legitimate access to corporate networks and sensitive data that is put to bad use.
Given the nature of this attack vector, the breach is hard to identify and contain, as the responsibility is distributed between HR, Legal, IT, and other departments—after all, not the criminals, but the members of the community are concerned.
In 2020, General Electric disclosed details of two employees stealing valuable proprietary data and trade secrets. Those insiders later left the company, established their own enterprise, and used the information to gain a competitive edge. Upon investigation, the court has ruled them to pay $1.4 million in restitution to GE. Amazon, Tesla, Facebook, and other major companies have also fallen victims to an insider threat.
“Insider threats are highly dangerous because the performing agents have at least some sort of access to corporate data. Attacks of this kind are very hard to discover, compared to external data breaches. The insider might leak only a fraction of data persistently, remaining undercover for months or years,” says Juta Gurinaviciute, the CTO at NordVPN Teams.
Employees contribute to the attacks
In most insider threat cases, cybercriminals try to get their hands on information—be it clients’ personal data, trade secrets, or company intelligence. However, bad actors can also leverage their status to hamper IT and cybersecurity infrastructure, perform fraud or espionage.
Despite the urge to put the blame on the negligent or corrupted employees, the circle of suspects is much wider. Just think of everyone that has authorized access to any of your business’ data—contractors, clients, or board members. Each of them can become involved in an ongoing attack, either intentionally or unintentionally.
The agents of insider breach can be divided into two major groups. There are turncloaks who deliberately leak data to their personal accounts or sell them to third parties. Using their authorized access, these employees transfer quantities of information and later pass it on to competitors or data brokers.
Next to those traitors are everyday good-doers, who might become involved in bad-natured data extraction schemes. Their mistakes contribute to the traitor’s plan, as it only takes leaving an unsupervised laptop open or launching a macro script within the corrupted .DOC file to successfully perform an attack.
“Knowing the differences between those two categories can help differentiate insider threat from insider risk. The first category refers to a sinister person who might harm the security network and obtain data for their illicit deeds. Insider risk, on the other hand, sees the bigger picture and takes a holistic data-centered approach. The first case is about deliberate action, the other—about the overall vulnerability of each employee,” comments Gurinaviciute.
Look for unusual data transfers
Insider attacks can be difficult to spot, identify, and mitigate. Employers face a trust dilemma, as being overly suspicious of staff impedes productivity and efficiency. On the other hand, a flexible cybersecurity policy and confidence can lead to an incident, taking on average two months to contain it.
Therefore, the best remedy is prevention, so companies should take steps prior to data exposure. Information security officers should look for unusual data traffic in and out of the suspected employee’s devices. They should be vigilant about workers accessing assets and services not related to their job functions, not to mention copying files or emailing them outside of the corporate perimeter.
“Cybersecurity and IT teams can prevent incidents from occurring by monitoring attempts to access sensitive information, changelogs, or transfer excessive volume of data. It is also wise to implement strict identity authentication methods and rely on zero-standing privileges. With them in action, employees can only reach the assets needed to complete a specific assignment—and for a limited time only,” says NordVPN Teams’ CTO.
In the event of an insider-triggered data breach, companies should act in accordance to their established incident containment plan. After identifying the threat and its damage, the information security team should immediately remove all the access privileges granted to the suspected employee, restore the compromised data, and scan for malware.
Enterprises should also inform the authorities about the data breach. If the insider has leaked clients’ or contractors’ information, it might be an additional safeguard if a lawsuit follows.
As insider threats can be non-malicious and performed by ignorant or negligent employees, make sure to arrange engaging and up-to-date training to prevent similar incidents from happening in the future