A data breach is an ever-present risk for the modern business. However, you increase that risk when you neglect the real possibility of an insider threat.
Consider that 57 percent of businesses believe insider attacks are becoming more frequent. And 59 percent of businesses reported an insider attack within the last 12 months. Yet:
- Only 40 percent of businesses have an insider threat programme.
- And almost half of businesses cannot detect an insider threat or only can once the damage is done.
The hard truth is companies only see insider threats in the rear-view mirror. Often, the offender has moved on or had plenty of time to do significant, irreparable damage. So, how can you keep your eyes on the road and spot oncoming threats in time to avoid them?
An insider threat, or insider risk, refers to ‘the potential for damage to be done maliciously or inadvertently by a legitimate user with privileged access to systems, networks or data.’
Four kinds of insider threats loom: negligent employees, malicious insiders, whistleblowers, and credential thieves. This might be an employee, contractor or vendor.
A negligent act would include weak passwords, unauthorised downloads, or a click on a clever phishing email which puts a chink in your company’s armour.
A malicious act is when a disgruntled or desperate employee or an intentional plant deliberately commits a breach.
An insider threat often appears as a regular employee completing their assigned tasks. This makes them hard to spot.
Negligence is the hardest to spot. So, regular compulsory training and policy reviews are important safeguards.
With malicious acts, it can help to understand why an insider is choosing to put your business at risk. They must have:
- Motivation. An individual might be dissatisfied or recently let go, have a political/social ideology, or be under significant financial pressure or duress. They will use this motivation to rationalise their actions.
- Opportunity. An insider might have an exit strategy such as the end of a contract or their last day of employment. They might take advantage of a hole in oversight/controls, overlapping access, or no separation of duties.
- Capability. Insider threats take advantage of the training your company must provide them with and exploit any weakness they can. With greater tenure comes greater know how.
Beyond this, a study from 2013 found insider threats often display traits like a lack of ethics, superficiality and instability.
It comes down to symptoms and red flags. A manager or co-worker must observe behaviour-or changes in behaviour. Or it must be observable in the system when an insider over-extends the requirements of their role.
Some industries and companies will make for more likely targets. Often, information itself is worth something. But for industries like financial services, an insider could perpetrate theft or fraud.
Additionally, the risk of an insider threat may be exacerbated by factors like remote work environments, gaps as businesses combine or expand, or a lack of security training and culture.
To know the likelihood of an insider threatening your business, you need to assess unique risk, exposure and existing controls.
Be assured. Your company can take action to fight insider threats. You can:
- Make use of automation to proactively identify symptoms of an insider threat like excessive data downloads or users accessing programs outside their role.
- Include the insider threat as a risk when you discuss security categories like access management, endpoint security, and shadow IT.
- Adopt security practices to mitigate the risk of insider threats. Some companies adopt zero trust policies.
- Build a culture of security where staff are trained on what to watch out for.
With substantial regulatory, financial, legal, and reputational consequences, it matters that you understand and combat the insider threat before they do damage to your business.