While a 2017 Harvey Nash/KPMG survey of nearly 4,500 CIOs and tech leaders globally found that cyber security vulnerability is at an all-time high, the biggest jump in threats came from insider attacks which increased from 40 percent to 47 percent over the last year. And that’s a modest estimate; reports from an IBM Security survey suggested that 60 percent of all attacks were carried out by insiders. Of these attacks, three-quarters involved malicious intent, and one-quarter involved inadvertent actors.
The problem with insider threats
We know that modern cyber criminals have increasingly sophisticated means (and money) at their disposal to attack their victims and are continually raising the bar against which organizations have to defend themselves. Insider threats, like the disgruntled employee who steals the photocopier after being terminated, have been around for a long time now. But, it’s getting worse and one of the reasons is that organizations are not ensuring employees get security awareness training. 62 percent of respondents In a Crowd Research Partners study said that lack of employee training / awareness was to blame for the rise in insider threats.
Regulatory measures to force organizations to implement insider threat awareness training are already on the horizon. The Harvard Business Review warns that “businesses slow to adopt stronger security measures may find themselves pushed into it by regulators. The latest regulations promulgated by the New York State Department of Financial Services, for example, require that covered businesses ‘provide regular cyber security awareness training for all personnel.’”
Let’s take a look at the nature of insider threats and why IT leaders are increasingly concerned that insider threats may be one of the biggest risks to an organization’s cyber security.
Types of insider threats
There are two main categories of insider threats:
- Careless or untrained users (accidental):
- These users are not intentionally malicious.
- They may be negligent, sloppy about their security (e.g. attaching their password on a PostIt note to their monitor), accident-prone (losing a laptop) or just in a great big hurry (opening malicious attachments unthinkingly).
- They are usually undertrained and have not been on any security awareness training courses.
- These are the guys who often fall victim to social engineering.
- This group includes third-party workers, interns and volunteers.
- Malicious users (deliberate) include:
- Criminal agents who poses as legitimate employees,
- Disgruntled employees looking to retaliate against an employer,
- Employees planning on starting a competitive business,
- Legitimate employees tempted to “beat the system” (privilege abuse),
- Employees who want to blackmail an organization for financial or political reasons,
- Employees looking to make some money on the side (personal information on the black market is very lucrative),
- Compromised legitimate employees (e.g. that are being blackmailed), and
- Tech-savvy employees who like the challenge of breaching the system.
The CERT Insider Threat Centre found that the three most common insider threats were:
- Theft of trade secrets or customer information to be used for business advantage or to give to a foreign government or organization.
- Modifying or stealing confidential or sensitive information for personal gain.
- Sabotage of an organization’s data, systems or network.
Research by IS Decisions revealed that:
- 42 percent of IT professionals thought ignorant users posed the greatest security risk to their organization.
- 52 percent of employees see no security risk to their employer in sharing work logins.
In a study, Crowd Research Partners found that:
- Privileged IT users, such as administrators with access to sensitive information, pose the biggest insider threat (60 percent), followed by contractors and consultants (57 percent), and regular employees (51 percent).
- Inadvertent data breaches (71 percent) top the list of insider threats that companies care most about. Negligent data (68 percent) and malicious data (61 percent) breaches come in a close second and third.
But, enough of statistics; you get the picture: the insider threat is a big one.
What you can do
- Use User and Entity Behavior Analytics (UEBA) to monitor behavior and actions
- Control user access and use two-factor authentication.
- Have fewer privileged users.
- Create a security culture of awareness.
- Know your users and watch for behavioral changes.
- Perform background checks on all users.
- Educate employees about security.
- Address cyber security in SLAs.
But is this enough?
This blog continues in Part 2. In this next blog I will dive deeper into organizational and cognitive biases that can lead people to downplay threats as well as the some of the challenges and approaches to effective security awareness training. Read Part 2.