Fighting Insider Threats on Two Fronts
Our new eBook, I’ve Been Breached! Now What?, contains a wealth of information on what it means for an organization to experience a data breach in 2015 – the number of records they can expect to be compromised, the costs associated with recovery and remediation, and so on.
It also points out how it’s a mistake to think that all data breaches are caused by outsiders with highly sophisticated hacking techniques at their disposal. In reality, just 45 percent of cybersecurity incidents can be pinned on external attackers – the rest are essentially inside jobs.
Since publication, we’ve seen at least a couple more reports surface that speak of the ubiquity and gravity of insider threats in the business landscape today.
There’s Kaspersky Lab and B2B International’s IT Security Risks Survey, for example, which found that almost three-quarters (73 percent) of organizations have been at the receiving end of insider attacks – and that these attacks are the most common cause of confidential data loss overall.
Similarly, the Clearswift Insider Threat Index showed that 40 percent of organizations anticipate an insider-led data breach within the next 12 months, with 72 percent of security professionals expressing the belief that internal risks simply aren’t treated with the same level of importance as outsider threats by their boards.
It’s fairly easy to understand why insider threats are underestimated and deprioritized in this way. After all, everybody wants to think that their organization has high enough employee morale and strong enough security policies to avoid a data breach originating from within.
The trouble is, the term ‘insider threats’ actually describes a broad category of risks that can be extremely costly to a business, and that take a lot of work to defend against sufficiently.
The Two Types of Insider Threat
It’s possible to divide these risks into two camps. Firstly, there’s the malicious insider – the disgruntled employee, politically-motivated hacktivist or opportunistic thief who intentionally causes a cybersecurity incident either out of a desire to damage the organization or make personal gain from its data.
Edward Snowden is perhaps the best-known example, but it’s far from just government agencies like the NSA that ought to worry about malicious insiders. In 2012, for example, an engineer at EnerVest knocked the company’s servers offline for a month after learning he was going to be terminated. And between 2013 and 2014, employees of AT&T leaked data on around 280,000 US customers as part of a scheme to unlock and sell stolen cellphones.
The other type of insider threat is the inadvertent actor. These individuals aren’t malicious, but their carelessness – sending emails to the wrong person, failing to dispose of confidential data, uploading information to a public website – leads to data breaches anyway. These are practically day-to-day occurrences at many organizations and can cause untold trouble in the most serious cases.
Fighting the two types of insider threat calls for a highly specific set of security measures.
For one thing, organizations need to adopt the principles of zero trust to combat malicious insiders on the network level. Individuals should only ever have access to the resources they need to do their job, and this should only ever be granted in reasonable contexts. Otherwise, there’s nothing stopping them from spending their downtime trawling entire network segments for sensitive information.
Secondly, in order to avoid data breaches caused by careless behavior, organizations need strong content-level security. By encrypting, tracking and restricting access to files that contain sensitive information, they can mitigate the consequences of misdirected emails and similar incidents. Better still, if this process is automated, they can remove the scope for human error from the equation entirely.
Is your organization fighting insider threats on these two fronts? Or have you left yourself open to attack by underestimating the risks?