Cybersecurity is a top consideration for today’s IT managers and business leaders across organizations. According to the FBI, victim losses for internet crimes topped $1.4 billion in 2017, and those numbers are on the rise. Ransomware, corporate data breaches, and email and phishing schemes top the list for threats companies are constantly preparing for.
Yet one of the most important security threats your organization faces may be much closer to home: your own employees. Research from IBM Security suggests that up to 60% of cyberattacks may be due to insider threats. Meanwhile, the Ponemon Institute reports that for mid-size firms with fewer than 500 employees, the average cost per incident averaged $1.8 million per episode.
Here’s an overview of two of the most common types of insider threats, from inadvertent negligence to malicious intent, and what organizations can do to detect and defend against them.
Insider Threat: Understanding the Scope
When you hear the term “insider threat,” the first image that comes to mind may be a disgruntled employee leaving a back door open for security threats, or even an employee actively engaged in some type of corporate espionage. The reality is that insider threats are often difficult to detect and are part of a spectrum.
Insider threats should be envisioned more as a continuum. On one end, you have individuals who simply are unaware of security best practices or make a mistake. While a data breach is an unintended consequence of their actions, it can be costly and have a serious impact on your business. At the other end of the spectrum, you have individuals who are setting out to harm your organization. Their goals may be manifold, from seeking retribution for perceived wrongs to criminal intent that’s driven by an outside income.
As you consider your approach to identifying insider threats and how to respond to them, it’s also important to address cultural considerations. The idea of tackling insider threats can be an uncomfortable one. It’s no small thing to accuse an employee of causing a breach, intentionally or not. Their reputation, career and even criminal status are all on the line. It’s important to proceed methodically, having a clear process to back up any concerns. And while these conversations may be uncomfortable, they’re important to have for the long-term sustainability and health of your company.
Unintentional Internal Threats
The largest category of internal cybersecurity threats actually comes from individual employees who didn’t intend any harm. However, they put the company in danger by taking actions that ultimately lead to security threats.
Within this category, there are several issues to look out for:
- Ignoring and not implementing training: Organizations have increasingly ramped up their cybersecurity training and support. However, a percentage of employees may not attend training or take the content seriously.
- Becoming victims of chance: Employees inadvertently move into the position of experiencing a problem when an accident occurs, such as losing a company device with sensitive data.
- Exhibiting poor decision making: It’s possible that despite all your training and investments, employees will exhibit poor digital decision making. They could forward an email with sensitive company information to the wrong recipient, store company data on an unsecured personal device or click on a link that brings ransomware into your organization.
- Falling victim to targeting: In certain cases, individual employees become the targets of scams, such as email scams impersonating a senior company official or client asking for money, data or other company details.
- Partnering with unsecure vendors: Vendors that don’t have the appropriate security protections in place may also be responsible for data leaks and data breaches. When thinking about insider threats, make sure that your planning includes freelancers or agencies that may be embedded with your organization – but using their own systems or not attending in-house security trainings.
If you’re concerned that your organization is at risk from this type of attack, there are several steps you can take immediately to help reduce the risk:
- Make attendance for trainings mandatory and ensure that anyone who has fallen through the cracks receives immediate training.
- Schedule regular training reviews — at least annually — to keep employees updated on changing technologies and emerging threats.
- Leverage end-point security solutions that help keep individual devices, such as laptops and smartphones, safe. If a device is lost or stolen, the information on the device can be wiped remotely to avoid the risk of data exposure.
- Employ security tools that help keep your network and digital interactions safe. Programs can be used to identify suspicious emails, block unsecure websites and capture malware before it ever enters the network. Combining technology with training can lead to the best long-term results.
Malicious Insider Threats
At the other end of the spectrum, companies face the risk from individual employees who do mean to cause the company harm. There is a range of different ways this can look:
- Insider-aided threats: In this scenario, your internal resource may be working in tandem with another individual or individuals to access company information. They may be working with individuals inside or outside the organization, and sharing information, access credentials or other data to make it easier to perpetrate crimes.
- Individuals seeking financial rewards: Analysts at Gartner noted that a high percentage of malicious insider threats came from employees seeking to profit. Contrary to the idea that employees would take company money or information and then run, their goal was to access information and make money — or a second stream of income — while often remaining in their job and continuing the fraud.
- Unhappy employees: These individuals may be angry at your company for any reason, from being passed over for a promotion to being put on a performance plan. These individuals may knowingly access protected information, create security gaps or even seek to sell internal secrets to the highest bidder.
- Former employees: In companies where access credentials are not carefully managed, former employees may pose a threat. Whether they’re logging on to utilize company resources or searching for confidential information, past employees represent a considerable risk if their digital access isn’t carefully overseen.
Preventing malicious insider threats requires a dedicated insider-threat prevention program. Some of the key elements to consider here include:
- Don’t stop at employee training. Consider implementing an employee monitoring solution. For example, this solution might flag when employees access files they’re not supposed to or forward large amounts of sensitive data to an off-company address.
- Carefully manage permissions, including tiered permissions for sensitive information and terminating access for employees who have left your company.
- Educate your IT department about the range of behavioral patterns associated with insider crimes such as fraud, intellectual property theft and knowingly configuring software to promote data breaches.
The biggest security risks may not be outside your organization. They might be sitting in the office or cubicle next to you. IT managers and business leaders can help prevent disastrous consequences by taking a proactive approach to this important dimension of cybersecurity issues.