Insider threats and the danger they pose are both extremely publicized and well covered topics. Apart from the famous NSA leak by Edward Snowden, there are also strong rumors that several high profile data breaches and leaks of the past couple of years have involved malicious insiders (Ashley Madison and Mossack Fonseca, to name a few cases).
Logic dictates that all of this awareness should translate into actions. And while cyber security software companies keep creating new solutions and cyber security providers keep developing best practices to effectively combat such threats, companies are not in a hurry to adopt these measures. In fact, the reality is the opposite – most companies regardless of the size heavily prioritize threats of network security, while cyber insider threat minimization measures are being put on the backburner (best case, worst case – they aren’t even on the horizon).
Insider threats are more frequent then you think
The fact is, while companies are well aware of the danger, the threat itself is highly underestimated. There are a lot of reports of high-profile hacks, breaches and DDoS attacks on large businesses, conducted by malicious outsiders. At the same time, breaches from inside are reported mostly by government organizations, as well as healthcare and financial institutions.
This leads many private companies, small ones in particular, to falsely think that they are not the target. However, in reality this is not the case. NetDiligence Cyber Claims study found that insiders have been involved in the 32% of the cyber security incidents reported last year.
So, why incidents involving malicious insiders get underreported? There are several reasons behind that:
- Damage mitigation. The fact that your company is vulnerable can be a huge blow to its reputation. Matters are worse still when the source of vulnerability is your own employees. Such news may prompt clients to find another offer and investors to pull out. It’s much more beneficial to not say anything at all whenever possible, or at least stay vague on details.
- They are very hard to detect. More often than not breaches go unreported because companies themselves don’t know about them. Malicious insiders often operate for years, slowly stealing sensitive data or using it for their own gain, and when the breach finally gets discovered, it can take a lot of time to assess the actual extend of what has been compromised. In fact, many breaches reported today are actually happened several years ago and only just now have been discovered.
- They are very hard to prove. Even if the breach have been detected, it can be very hard to find the perpetrators. Often results of investigation turn up inconclusive, and even in cases when the insider have been found, proving their guilt in court often proves problematic. Thus, there is a little benefit in reporting the crime, when perpetrator cannot be punished or sued for damages.
Of course, reasons mentioned above are the most relevant for companies who didn’t put the necessary measures to detect and combat insider threats in place, since they are the ones who most often becomes the victim of such attacks.
Danger of inadvertent insiders
However, malicious insiders are not the only type of insider threat out there. According to Forcepoint 2016 global threat report, inadvertent errors or negligence by employees constituted almost 15% of all data breaches last year.
Often unaware of the basic security practices, employees tend to accidentally leak sensitive data, damage data or make inadvertent adverse changes to critical systems. What’s even more important, is that employees often themselves become the proxy through which either malicious insider or outsider can gain access to the system. By falling for phishing, spam e-mails, and other social engineering techniques, they often themselves give their credentials to perpetrators.
Challenges of dealing with insider threats
Dealing with inadvertent and malicious insiders is similarly hard, as it poses similar challenges. It requires a unique set of tools and practices to be implemented, and can only be done when company fully realizes and acknowledges the danger of insider threats in cyber security and how to combat them.
All of this is due to the fact that insiders have legitimate access to sensitive data, with which they work on a daily basis. Therefore, it is very hard to distinguish any malicious actions on their part from the usual everyday routine. Whether your system administrator does regular backup or copies data to an external storage in order to steal it and sell it – there is almost no way for you to know.
Moreover, it is also almost impossible to distinguish between deliberate malicious actions and inadvertent mistakes. This is not only allows malicious insiders to simply say that they made a mistake and get away with murder, but also inadvertent insiders may be prosecuted for malicious actions, while in reality data breach happened because of negligence, or even honest mistake.
Myths about insider threat protection
The only way to solve the issue of insider threats in cyber security is to incorporate proper protection measures that will give your company an ability to not only detect insider threats and investigate them, but also prevent incidents in the future. However, as mentioned earlier, not a lot of companies go for it.
According to 2016 Insider threat spotlight report, 74% of organizations that participated in questionnaire are vulnerable to insider threats. One of the reasons for their lack of proper protection is a set of pre-conceived notions about insider threat mitigation that many of these companies hold, most of which are decidedly false.
The following myth are very widespread when it comes to insider threat prevention and protection:
- My company is not a target. We already touched on this above. While there are not as many reports of private commercial companies being hit by insiders it doesn’t mean that this doesn’t happen. In fact, the opposite is true – every company is a target, regardless of the size or the industry it operates in.
- It is not worth the money. Many companies feel that investing in security is not that important in terms of the bottom line. Security is usually viewed as a sinkhole where money disappear without any returns. Therefore, costs are always cut whenever is possible, and insider threat protection measures are usually go under the knife one of the firsts. However, 2016 Insider threat spotlight report shows that 75% of companies on average spend $500 000 or more to mitigate incidents involving insider threats. It is widely known that insider attacks are the costliest ones to remediate, thus it is very beneficial in the long run to invest some money in insider threat protection.
- It is expensive. A lot of smaller and medium sized companies don’t implement any insider threat protection measures because they consider them too expensive to afford. It is true that there are a lot of solutions out there, in user action monitoring department particularly, that are targeting large enterprises and are just too expensive for small companies to deploy. But not everybody knows, that there are a number of very affordable alternatives available out there.
- Background checks are enough. Many companies think that basic measures, such as physically securing sever location and conducting background checks are enough to protect from insider threats. While both of these measures are necessary, they don’t exactly provide a reliably protection. Sometimes, people get recruited by competitive firm, or they simply see an opportunity and decide to take it, or even commit an honest mistake. You need a way to detect and investigate such incidents and only the full complex of insider threat protection measures gives you that.
- It too complex. Many companies think that any security procedures and security solutions are too complex and that it will either take a lot of money and a lot of time to educate personnel, or it will disrupt the regular workflow. In reality, there are insider threat management software out there that are fairly simple to use and can be used without any training. At the same time, educating your employees on best security practices will save you money in the long run, as it allows to prevent mistakes and negligence and makes your company much less susceptible to attacks from both inside and outside.