From day one, we have said that employees are the weakest link in the cybersecurity chain for an organization. In a recent webcast, Michael Gelles and Robert McFadden of Deloitte Consulting LLP highlighted just how big of a threat “insiders” are to an organization's cybersecurity well-being.
Insider Threats
The term “insider threats” often refers to individuals who use their knowledge of or access to an organization and its systems to deliberately perpetrate wrongdoing, whether fraud, sabotage, theft or a violent act. These individuals may be current or former employees, contractors, or employees of third-party service providers.
However, insider threats are not all the same. There are three types of insider threats:
- Malicious Insiders: These are the least frequent, but have the potential to cause the most damage due to their insider access. Administrators with privileged identities are especially risky.
- Exploited Insiders: This refers to employees who may be tricked by external parties into providing sensitive data that shouldn't be shared.
- Careless Insiders: The type of insider seen most frequently within an organization. This person may be a new employee who doesn't know their organization's policies or an employee who is aware of the organization's policies but has become complacent about them.
Insider Threat Statistics
In a study titled “The Widespread Risk of Insider Threats” the following data was collected:
- 97% of insider threat cases involved an employee whose behavior a supervisor had flagged, but that the organization had failed to follow up on.
- 92% of insider threat cases were preceded by a negative work event, such as a termination, demotion, or dispute with a supervisor.
- 90% of IT employees indicate that if they lost their jobs, they'd take sensitive data with them.
- 59% of employees who leave an organization voluntarily or involuntarily say they take sensitive data with them.
- 51% of employees involved in an insider threat incident had a history of violating IT security policies leading up to the incident.
Let's take a moment to review the above statistics. I think it's safe to say that we are our own worst enemy. There are two trends we can take away from the study. One, we aren't doing a good enough job (statistics actually show that we aren't doing this job at all) of monitoring the activity of our employees. With the evident threat of cybersecurity issues being in the limelight as of late, you would think this would be a major priority of managers and high-level executives. However, this leads us to our second trend that we can identify. If an employee has a negative experience at work, such as being flagged for their suspicious work behavior, statistics show that nine out of ten cases could lead to an insider threat occurrence. That has to be an extremely daunting area of concern for managers and executives to analyze. How do you manage your insider threats without unintentionally creating an insider threat?
The Stakes
The stakes of becoming the next big breach in the news are higher than ever. Cybercriminals are making very lucrative careers out of breaching networks and stealing personally identifiable information. As we become an increasingly information-based economy, securing your network and sensitive data are more critical than ever to any organization's survival. In 2015, it was estimated that 58% of all data security threats came from the extended enterprise (employees, ex-employees, and trusted partners). Statistics also showed that an insider attack costs a company over $400,000 per incident and approximately $15 million in annual losses per company. Some incidences have gone on to cost a company more than $1 billion.
Whether you are dealing with a malicious, exploited or careless insider, they all end with unauthorized users having access to your company's sensitive data. Below are “12 Steps to Future Proofing Your Internal Security” from IS Decisions:
- Educate Users: More training in more innovative, engaging ways, as well as the right technology to grow awareness.
- Use Technology: The majority of IT professionals will be spending more on security technology in the near future, with technology and tools being the most common element of any insider threat
- Consider Partners & Supply Chains: When we say users, we do not just mean immediate employees. Anyone who has access to your network has to be subject to the same process and restrictions, or there is little point in having them in place.
- Include a Post Employment Process: As we can see from the statistics above, this one is extremely important! Ensure that a process is in place that makes sure ex-employees can no longer access the organization's systems or data as soon as they have ceased employment.
- Consult External Sources: Analysts, media, and organizations dedicated to cybersecurity (like WatchPoint) can help you gain an objective view of how to structure your insider threat.
- Stay Up-To-Date: The technologies and thinking involved in combating insider threat are evolving as quickly as the threat itself, so it is imperative to stay informed.
- Educate Senior Management: Senior-level management should be just as educated as lower level management and employees about insider threats and cybersecurity in general (check out our article on “whaling”).
- Get C-Level Commitment and Buy-In: The commitment to enforcing your policies must go to the top of an organization so that it can be properly enforced at all levels.
- Implement Greater User Access Restrictions & Control: The more restrictions there are, the smaller the surface of attack.
- Generate User Alerts: Generating alerts is especially useful when a user's activity triggers suspicious behavior, so users learn to know what is and what isn't good
- Take a Multi-Layered Approach: Biometrics (fingerprints), two-factor authentication, etc. all make it harder (but not impossible) for an unauthorized user to access sensitive data.
- Be Transparent – Externally & Internally: A good internal security policy is one that is transparent and properly communicated to all employees. But you should also ensure that you communicate your approach to security externally as well.
Customers are increasingly going to be scrutinizing companies on their approach to security, so it helps to be able to show them that you have the right attitude about keeping their data safe.