It all began innocently enough when a Tesla employee received an invitation from a former associate to catch up over drinks. Several wining and dining sessions later, the old acquaintance made his real intentions clear: he offered the Tesla employee $1 million for smuggling malware into the automaker’s computer network in a a scheme that, if successful, would have enabled a cybercrime ring to steal vital data from Tesla and hold it ransom. Fortunately, the plot fell through after the employee did the right thing – reporting the offer to his employer and working with the FBI on bringing his old associate to justice.
However, this outcome shouldn’t obscure the fact that it could all easily have gone the other way. Indeed, the attempted attack was a reminder that employees are not only an organization’s biggest asset, but often also its biggest cyber-risk – and a risk that often flies under the radar.
A few statistics will help drive the point home. According to Verizon’s 2023 Data Breach Investigations Report (DBIR), 19% out of roughly 5,200 data breaches examined in the study were caused by internal actors. Meanwhile, Ponemon Institute’s survey of 1,000 IT and IT security professionals from organizations that had experienced “material events caused by an insider” found that the number of insider-related security incidents had increased by 44 percent in just two years. Its 2022 Cost of Insider Threats Global Report pegged the number of these events at more than 6,800, with impacted organizations spending $15.4 million annually on insider threat remediation.
The attack surface widens – for insider threats, too
Acute cyberthreats such as software supply-chain attacks, business email compromise (BEC) fraud and other scams that leverage stolen employee logins, together with ransomware and other attacks that are often facilitated by a thriving cybercrime-as-a-service business model, have pushed cybersecurity to the top of boardroom agendas.
With the rush to digital transformation, the shift to cloud-powered flexible working arrangements and a growing reliance on third-party suppliers, the attack surface of every organization has expanded considerably. The cybersecurity landscape is now more complex than ever, and as attackers relentlessly take advantage of this complexity, pinpointing and prioritizing the most critical risks isn’t always a straightforward proposition.
Muddying the waters further, keeping external attackers at bay is often just half the battle. Insider threats don’t typically get “top billing” even if the impact of an insider-led incident is often even more dire than the impact of an incident caused solely by an external attacker.
An insider threat is a type of cybersecurity threat that comes from the depths of an organization, as it typically refers to an employee or contractor, both current and former, who might cause harm to a company’s networks, systems or data.
Insider threats typically fall into two broad types – intentional and unintentional, with the latter further broken down into accidental and careless acts. Studies show that most insider-related incidents are due to carelessness or negligence, rather than malice.
The threat can take many forms, including the theft or misuse of confidential data, destruction of internal systems, giving access to malicious actors, and so on. Such threats are usually motivated by several factors, such as financial, revenge, ideology, negligence or straight-up malice.
These threats pose unique security challenges as they can be difficult to detect, and even harder to prevent, including because insiders have a much greater window of opportunity than external attackers. Naturally, employees and contractors require legitimate and elevated access to an organization’s systems and data in order to do their jobs, meaning that the threat may not be apparent until the attack actually occurs or after the damage is done. Insider are also often familiar with their employer’s security measures and procedures and can circumvent them more easily.
Furthermore, even though security clearances require background checks, they do not strictly account for the personal state of mind, as that can change as time goes on.
Nonetheless, there are certain measures an organization can take to minimize the risk of insider threats. They rely on a combination of security controls and a culture of security awareness and span tools, processes and people.
Preventive measures to mitigate the risk of insider threats
These measures are not the be-all and end-all of cybersecurity, but they will go a long way towards shielding organizations from insider threats.
Implement access controls: Implementing access controls such as role-based access control (RBAC) can help limit access to sensitive data and systems to only those employees who need it to perform the duties of their jobs. By granting access only to those employees who require it for their job duties, a company can significantly decrease its exposure to insider threats. It’s also essential to regularly review these access privileges so that access levels remain appropriate and aligned with employees’ roles.
Monitor employee activity: Implementing monitoring tools to track employee activity on company devices or their network can help identify suspicious behavior that may be indicative of an insider threat. Monitoring can also help detect any unusual data transfers or abnormal patterns of access to sensitive systems and data. However, make sure to ensure compliance with local regulations and establish clear guidelines regarding monitoring to address potential concerns about privacy.
Conduct background checks: Conducting background checks on all employees, contractors and vendors before granting them access to sensitive and confidential data can help identify any potential risks. These checks can also be used to verify an individual’s employment history and criminal record.
Organize security awareness training: Providing regular security awareness training to employees is instrumental in helping increase their understanding of cybersecurity risks and how to mitigate them. This can help reduce the likelihood of accidental insider threats, such as falling prey to phishing.
Data Loss Prevention: Implementing a DLP system can help prevent data loss or theft by monitoring, detecting and blocking any unauthorized transfer or sharing of sensitive data. This can help reduce insider threats but also protect confidential data. The caveat here, though, is that DLP providers are also in the attackers’ crosshairs, so that is an added worry.
To note, none of these measures alone are foolproof, and no single solution can completely eliminate insider threats. But by implementing a combination of these measures, and by regularly reviewing and updating security policies, businesses can significantly reduce their exposure to insider threats.
Top pick: security awareness training
This is a top pick from the described measures for several reasons. First of all, these trainings help businesses save some money by reducing the risk of unintentional insider threats.
Most often, employees are not aware of certain cybersecurity risks and may unwittingly click on a phishing link, download malware or share confidential internal data, leading to data breaches or other incidents. By providing regular training to employees, these types of incidents can be prevented, reducing the costs associated with this insider threat as well as the reputational damage associated with breaches and legal troubles.
Furthermore, providing security awareness training can improve both personal cyber hygiene and the overall security standings of a company, leading to increased efficiency and productivity, as employees trained to recognize and report security incidents can help detect and mitigate security threats early on, reducing their impact and costs associated with them.
However, implementing a combination of measures tailored to a company’s specific needs is still the best approach to combat insider threats and save costs in the long term.