Mitigating the three types of non-malicious insider risk
Some people do not see the big picture, thinking there is only one type of insider risk (i.e. malicious). As a result, they often think that mitigating insider risks can be done with a one-size-fits-all approach. That is a fallacy. To counter that myth, let's shed a little light on the different types of non-malicious insider risks and what companies can do to prevent them from becoming an insider threat (i.e. malicious).
There are three different types of non-malicious insider risks, and each one requires a different approach to mitigation. According to MITRE, the three types of non-malicious insider risks are:
- Mistaken
- Outsmarted
- Negligent
Mistaken
Even well-meaning employees sometimes make mistakes. Sometimes, a non-malicious insider does so through carelessness or inattentiveness. It happens. Security is not their full-time job.
Sometimes an employee inadvertently uses an application that is insecure or unwittingly gives an outsider unauthorized access to sensitive areas. In the first case, someone could be using ChatGPT to check if there are any errors in a code. The exported code lives in ChatGPT, and bad actors can take advantage of that information to find exploits in a target company. That's why many companies, including Samsung, have banned ChatGPT. People can also put their organization at risk when they use unsecured email applications or thumb drives to share sensitive information.
Outsmarted
Employees can also be socially engineered to grant access to unauthorized individuals who may not have the company's best interests at heart. For example, at least one Uber hack happened because an employee was tricked into revealing his password to a hacker posing as a member of Uber's IT department.
Regardless of whether well-meaning employees accidentally share information or are tricked into giving someone access, the solution here is the same. Companies need to establish clear policies around sharing corporate information and periodically remind employees of these policies. It's also helpful if companies implement tools that offer visibility into anomalous behaviors to detect when an employee might be making a mistake and provide guidance in real time.
Negligent
Unfortunately, sometimes employees create risks because they are not concerned or don't feel they should be restricted by a company's cybersecurity protocols. They are not trying to harm the organization, but in their lack of adherence to security protocols, they unnecessarily expose the organization to risk. Many employees that fall into the negligent risk category are disengaged by their work, organizational leadership, or culture. Oftentimes, culture change is required to foster a trusted workforce, where employees shift from being apathetic to motivated – not just in their work, but in the organization’s mission, cybersecurity included.
Make sure you have the complete view of insider risk
Industry analyst reports show that insider risk is on the rise. Verizon’s 2023 Data Breach Investigations Report reveals that 85 percent of data exploitation involves a human element.
When thinking of insider risk, most people have an image of a disgruntled employee looking to exfiltrate confidential information to sell to the highest bidder or sabotage internal systems. While that does happen, most insider risk comes from non-malicious employees. It is tempting to paint non-malicious insiders as being negligent, but most insider risks are employees who are trying to do the right thing.
The challenge of insider risk is showing no sign of slowing. The first step to proactive insider risk management is understanding the types of insider risk and developing tailored mechanisms for resolution in a way that is supportive – not punitive. With this knowledge comes the power to stop insider risks from becoming threats, in the interests of protecting data and fostering a trusted, thriving workforce.
Image credit: Andreus/depositphotos.com
Armaan Mahbod is Director of Security and Business Intelligence, Counter Insider Threat at DTEX Systems.