In June 2018 an ex-employee of the global conglomerate Coca-Cola was discovered with confidential files in her possession which she had been exfiltrating from the organization for five years during her employment. It was estimated that this caused 119 million Dollars in damages to Coca-Cola. This is one of many horror stories where a trusted insider caused a data breach.
Insider risk management has since become a crucial component of cyber security for many organizations. Insider threats are harder to spot than malware or brute force breaches and require specialized permission policies and capable monitoring software to detect and address them before a serious breach takes place.
Insider Threats Defined
In a recent, global, study by the Ponemon Institute, three key sources of insider threats to businesses have been identified. In each of these sources, confidential information was compromised by someone who had legitimate authorization to access the compromised system and/or information. The threats, as the name suggests, arose from inside the organization.
These kinds of threats are particularly bothersome and notoriously hard to detect without real-time monitoring of strict operating procedures.
Every organization has a set of security rules and best practices when it comes to cyber security. Employee negligence can be categorized as Employees not adhering to these prescribed cyber security policies and procedures. Be it leaving their workstations unattended or sharing confidential information with external parties, negligent employees can cause damage. This kind of insider threat is by far the most prevalent and has somewhat been exacerbated by the work-from-home model.
It is a natural evolution for employees to be given increased access to information and resources as their roles evolve. All employees are, however, not benevolent, and elements do exist inside an organization that would, with malicious intent, exploit an organization for nefarious reasons.
When employees are implicitly trusted with confidential information, the risk of malicious activities is greater. Organizational cyber security policies should always be adhered to no matter the seniority of employees, although this kind of risk can originate from any employee.
The third vertical of insider threat is one where a legitimate user account is compromised. Although this might be a threat actor accessing the organization from an external network, the user account is still recognized as an internal user due to the nature of the user account. Although the occurrence of this kind of insider threat is relatively less than the previous risks listed, cyber security specialists worldwide agree that it is on a steady rise in relationship to other insider threats.
Threat actors are becoming more creative in the ways they utilize social engineering to gain access to authorized employee user accounts. Apart from being difficult to detect, threat actors often know what they are looking for causing this kind of internal threat to be extremely dangerous.
Indications That Your Business Might be at Risk
Since insider threats are, for the most part, driven by the human element it should come as no surprise that most of the key risk indicators of insider threats are qualitative. Insiders are not identified through normal means such as firewalls and intrusion detection systems.
Some key indicators should raise red flags though. Typically, employees whose data consumption habits suddenly change. These habits can be discovered by monitoring software and strong access management, such as least privilege and zero trust.
- Trying to access and download large volumes of data and institutional knowledge.
- Employees who are consistently trying to access resources they don’t have access to.
- Emailing confidential information to recipients outside of the organization.
- Unsanctioned use of mass storage devices on managed infrastructure.
While user training plays a central role in educating employees about the cost of negligence, insider threats often reach past the employee who has no intention to cause harm. Organizations, that wish to protect themselves from this kind of threat, should address the matter purely from a cyber security perspective.
Definitive user access policies should be implemented where zero trust is enforced. To improve visibility organizations can implement real-time monitoring solutions to keep an eye on the data access and consumption habits of authorized user accounts.