When ignorance isn't bliss: Accidental insider threats
Insider threats are far more commonplace than one would expect -- accounting for about 20 percent of all data breaches.
Though the term ‘insider threat’ conjures up images of disgruntled employees with malicious intentions or moles within an organization, the reality is that the majority of vulnerabilities of this nature are attributable to accidental, negligent insiders. As Okey Obudulu, CISO at Skillsoft, explains: "More often than not, insider threats are unintentional. Innocent acts -- such as sending an email to the wrong person or accidentally clicking on a phishing link -- can have devastating security consequences." Of course, what cybercriminals love more than anything is an unsuspecting and improperly trained employee to take advantage of…
No two insider threats are the same
Aside from malicious insiders, accidental threats tend to fall into one of two camps; "compromised insiders who become accidental threats, by clicking on a phishing link for example; or negligent insiders who threaten the security of their network through careless actions, such as leaving a laptop on a train." -- as Richard Orange, Vice President of EMEA Sales at Exabeam explains.
However, part of the reason insider threats can be so difficult to tackle is because of the diversity of threat patterns, making it hard to recognize when attacks occur. Orange highlights the need for strong defenses in the form of user and entity behavior analytics:
"Through behavioral analytics, businesses can identify a baseline of 'normal activity' and subsequently flag any abnormal or threatening behavior -- whether that relates to compromised credentials, or a disgruntled employee attempting to access and download privileged information."
Brett Candon, Vice President International at Cyware, recognizes that few organizations have a holistic view of their own threat landscape: "Threat intelligence helps enterprises get ahead of attacks, but it isn’t easy to segregate, correlate, and prioritize the huge volumes of available threat data to create a 'single source of truth'."
Candon suggests moving beyond threat intelligence, in order to 'connect the dots'. "This next-generation approach to cybersecurity -- often referred to as cyber fusion -- unifies all security functions such as threat intelligence, security automation, threat response, security orchestration, incident response, and others into a single connected platform which detects, manages, and responds to threats in an integrated and collaborative manner. The importance of collaboration -- inside and outside the organization -- cannot be overstated."
The impact of the way we work and human nature
When it comes to insider threats, changes in working styles and technologies have led to a whole host of new risks.
"The continual rise of digital transformation, hybrid working and, more recently, 'Shadow AI' usage has only made it more difficult to manage and mitigate these potential threats", Kevin Cole, Director, Technical Marketing and Training at Zerto, a Hewlett Packard Enterprise company, points out.
These difficulties can also often extend beyond the realm of cybercrime, with physical social engineering attacks putting all organizations with a physical presence at risk. Andy Swift, Cyber Security Assurance Technical Director at Six Degrees explains, "the problem when attempting to tackle PSE, as with any insider threat, is that vulnerabilities arise from seemingly innocuous actions, such as holding doors open without verifying credentials or allowing maintenance workers unsupervised access. However, an issue that is particularly unique to PSE is that attackers often manipulate human kindness to achieve their aim."
The rise of the engaged bystander
As the focus of this year's Insider Threat Awareness Month, the importance of 'engaged bystanders' in the fight against insider threats is undeniable.
Swift continues, "employees in modern workspaces tend to harbor a reluctance to report suspicious behavior. Post-COVID, many of us are not familiar with the faces of our fellow employees or what looks like 'normal behavior'. This, combined with the natural instinct of not wanting to get others into trouble, can act as a stumbling block when trying to prevent insider threats."
However, by providing the right training opportunities, employees can go from a potential weakness in an organization’s Armour to one of their greatest strengths -- both in physical workspaces and online. Skillsoft’s Obudulu underscores how best to achieve this:
"Giving employees the training to go from potential victims to the first line of defense requires awareness of traditional and emerging social engineering and phishing tactics. Organizations must provide comprehensive training to educate employees about identifying and mitigating risks associated with all attacks, especially ones leveraging gen AI. This includes imparting knowledge about the latest phishing techniques, raising awareness about the dangers of engaging with unknown entities, and promoting vigilant behavior online."
Leveraging the latest tech
While training employees to recognize suspicious activity and avoid becoming potential liabilities themselves is a vital step in mitigating insider threats, effective defense strategies will also incorporate technologies that ensure cyber security.
Matt Hillary, CISO at Drata, recommends a blended approach between both security and compliance teams, "using tools that streamline manual processes and reduce human error can help build trust, transparency and co-operation between these two, often separate, teams. For example, compliance automation eliminates blind spots through automated control monitoring and reduces the time it takes to close gaps and respond to noncompliance. It’s important to note that continuous compliance should not be viewed as a replacement for a robust cybersecurity policy, but rather as a complementary strategy that helps facilitate a culture of security."
Beyond this, organizations should also consider utilizing developing technologies such as AI to strengthen their cybersecurity strategies -- as Patrick Beggs, CISO at ConnectWise recommends: "Organizations can leverage artificial intelligence for context-aware monitoring, anomaly detection and behavioral analytics. By consuming billions of data artefacts, AI quickly learns about emerging risks, identifying malicious files and suspicious activity much faster and more accurately than a human ever could. It then applies its findings to predict activities, identifying them as they occur and assigning them a severity level for remediation."
He continues, "the combination of these AI-powered solutions, human expertise and well-defined security policies can help organizations build a robust defense against insider threats."
That being said, it is always best to have a backup plan. Zerto’s Cole agrees, stating "insider threat or not, organizations also need to come to terms with the fact that it is a case of 'when' they will be attacked, rather than 'if'. This is why investment in effective recovery technology is vital for organizations to protect themselves against the fallout of an insider threat-driven data breach or ransomware attack, which can lead to costly disruptions if operations are not restored swiftly."
Okey Obudulu is CISO at Skillsoft. Okey has over a decade of experience handling matters of the highest sensitivity and protecting critical assets in the private sector, as well as in government as a former Criminal Forensic Investigator. He's a strategic risk manager with several information security certifications and a Master of Business Administration (MBA) focused in Finance and Information Systems from Fordham University - Gabelli Graduate School of Business.