Insider threats: What they are and how to prevent them

In the ever-evolving realm of cybersecurity, the focus often falls on external threats, such as ransomware and malware, that lurk beyond the organisation's firewall. However, lurking within the very walls of an organisation lies a potentially more devastating threat – insider attacks. These attacks, perpetrated by individuals with authorised access to an organisation's systems and data, can cause immense financial and reputational damage.

With European companies spending $15.4M annually taking care of insider threats and each one taking over two months to contain, organisations must start implementing correct incident response plans to best mitigate the monetary and time cost that these threats take from a business.

What are insider threats?

Insider threats are cyber security risks that originate from within an organisation. This means the threat comes from someone with authorised access to the organisation’s systems and data. Insider threats can be caused by current or former employees, contractors, partners and vendors.

In simpler terms, insider threats involve anyone with access to internal sensitive data who may intentionally or unintentionally misuse that access. This misuse puts that data’s integrity, confidentiality, and availability at risk.

These threats occur for various reasons and can have serious consequences, potentially compromising intellectual property, customer data, and critical operations and strategic initiatives of businesses.

What kinds of insider threats should you be aware of?

Let’s break it down into three categories: Malicious Insiders, Negligence and Compromised Insiders.

Malicious insiders:

These are individuals or organisations with authorised access to company data who use that information in a harmful or unethical ways for financial gain or out of anger towards the organisation.

Picture disgruntled employees or ex-employees working with competitors or hackers, looking to harm the business operations.

Example: A former Yahoo employee in a high-level senior position allegedly stole valuable intellectual property from the company 45 minutes after securing a job offer from a direct competitor, only 11 days before his resignation. The ex-employee is accused of downloading over 570,000 pages of code, algorithms and critical business information, which would put certain parts of Yahoo’s business in jeopardy.

How to prevent it:

1. Establish a clear access control policy: Ensure your organisation has a well-defined access control policy. Implement clear processes to revoke access for ex-employees, preventing them from retaining access to old data or confidential information.
2. Monitor unusual activities: Track unusual activity times, such as logging into the network or entering the building at irregular hours. Additionally, keep an eye on the transfer of large volumes of data in sets to detect and address potential threats swiftly.

Negligence:

Unlike malicious threats, negligent threats are unintentional. It happens when someone with access to internal information makes mistakes like falling for a phishing attack, bypassing security controls, or accidentally sharing confidential information. Negligent threats account for 63% of insider threats, according to recent IBM reports.

Example: In 2021, a phishing attack on X (Formerly Twitter) resulted in +$100,000 bitcoins being transferred to the scammers, a decrease of 4% of the stock and a delay of a new API release.

How to prevent it:

1. Invest in ongoing information security training: Equip your team with the knowledge they need to recognise and counter potential threats. Regular training ensures that they stay up to date on the latest security practices.
2. Cultivate a culture of compliance and awareness: Foster an environment where compliance and awareness are second nature. Make sure your employees fully grasp the best practices in cybersecurity. A vigilant team is your first line of defence.
3. Conduct offensive security tests: Stay one step ahead by regularly performing penetration tests. These offensive security tests assess your employees' awareness levels, helping you identify and address potential vulnerabilities proactively.

Compromised Insiders:

These threats stem from credential theft, where someone impersonates as a member of the organisation. This can occur physically, like stealing an access card or through social engineering. These threats are the costliest to fix, with an average cost of $804k per incident.

Example: A Mailchimp employee got tricked by a social engineering attack, exposing credentials and granting attackers access to 133 user accounts. Since it was the third attack in less than a year, the impact on Mailchimp´s took a big toll.

How to prevent it:

1. Fortify access security: Ensure robust security by implementing strict access controls, two-factor authentication, and utilising password managers. Strengthening these aspects enhances protection against unauthorised access.
2. Prioritise training and pen testing: Safeguard against social engineering and other threats through ongoing training. Conduct regular penetration testing to evaluate your defences and enhance resilience. These initiatives help build a security-aware culture within your organisation.

You might also be interested in our on-demand webinar: Unveiling Vulnerabilities: espionage and the human factor in cybersecurity.

Costs of Insider Threats:

The costs associated with insider threats are multifaceted and require careful consideration:

1. Monitoring and Surveillance: Investing in monitoring and surveillance tools is essential for tracking and identifying possible threats, and mitigating them before they escalate.
2. Investigation & Escalation: Significant time is dedicated to assessing the impact of the incident and escalating it to management.
3. Incident Response: Resources are allocated to respond to incidents, undertaking necessary activities to facilitate management decisions on how to proceed.
4. Containment & Reparation: Efforts are directed towards containing threats and mitigating their impact. This includes repairing and restoring any assets or infrastructure that may have been damaged.
5. Remediation: Costs are incurred in assessing the incident, understanding its causes, and implementing new measures and processes to prevent it from happening again.
6. Financial Loss due to Business Disruption: Business operations temporarily halted result in financial loss. This extends to the impact on the business’ finances and strategic initiatives due to exposed information.
7. Loss of Customer Trust and Reputational Damage: Considers the cost of losing of customer trust and reputational damage.
8. Regulatory Fines: Failure to implement the right measures for information asset protection may lead to a regulatory fine, adding a financial burden to overall costs incurred.

Our Recommendation:

Here's our top recommendation to effectively prevent and minimise the costs and impact of insider threats:

Establish a robust defence through comprehensive policies and procedures incorporated into a foolproof incident response plan. Drafting companywide policies, conducting annual employee training sessions, regular penetration testing, and enforcing stringent access permissions are key measures to reduce the likelihood of encountering these risks.

If you're eager to delve deeper into bolstering your risk reduction efforts, click here to explore how ISO 27001 can offer valuable support.

Are you interested to learn more about this topic? Get in touch with our in-house experts today.