The evolving challenge of insider threats

Modern security teams need a 360-degree perspective if they are to successfully deal with all the risks they face. As well as protecting networks and data from external threat actors, organizations must also look at the risks posed by insiders -- a major security problem that brings a unique set of challenges.

Indeed, the issues associated with insider threats are growing to near ubiquitous levels. According to recent industry research, three-quarters of organizations say insider attacks have become more frequent, with more than half experiencing an insider threat in the last year. A major part of the challenge is identifying where the threats are coming from, given that employees and contractors already have varying levels of permitted access to systems. While the motivation for insiders can be malicious, employee errors can also result in hugely damaging security breaches.

Motivating factors

One of the central questions organizations want to get to the bottom of is 'why?'. Where are insider threats coming from, and what is the motivation behind them?

Accidental or negligent security breaches can be caused by a number of factors, particularly inadequate training or compromised credentials. In fact, negligence as a whole accounts for nearly two-thirds of insider incidents, with compromised credentials the root cause of a further 25 percent, according to research.

Negligence-related incidents can be caused by several factors, ranging from an employee breaching security protocols to complete a task or process more quickly. In contrast, malicious insiders are motivated by anything from financial gain to political beliefs or even out of anger and a desire for revenge against their organization or colleagues.

Identifying the warning signs

Security teams can be alerted to potential insider threats by watching for various warning signs within their environment. Spotting unusual or unexpected behavior, in particular, can provide the necessary insight to prevent or limit damage from an intentional or careless security breach.

These indicators can include a range of factors, such as employees logging in to systems at unusual times, frequent and erratic absences from work, financial problems or if they are in regular disputes with co-workers. Clearly, these indicators are extremely nuanced and tough to detect, but there can also be other obvious red flags, such as an employee repeatedly asking for escalated privileges or trying to access resources not required for their role.

However, spotting these indicators is often easier said than done. Employees may intentionally try to mask suspicious behaviors, while unintentional risks can emerge gradually over time (some behavior of which may not have even been addressed in policy). To detect nuanced changes in user activity, organizations need advanced analytics that baseline normal behaviors and alert security teams to anomalous deviations that may signify insider threats.

Effectively reducing risks on an organizational level requires a more rounded and proactive approach. For instance, carrying out regular risk assessments and security audits can provide a solid foundation for building an effective insider threat strategy. Their core benefit is that they help identify existing weaknesses in security posture and processes so they can be closed before being exploited by a malicious or negligent insider.

Technological threat detection and intelligence

While human vigilance is crucial, there's also an emerging emphasis on using artificial intelligence and machine learning tools for threat detection. These advanced technologies have the potential to predict and pinpoint anomalies faster, offering an additional layer of security, while their integration into existing systems helps to ensure that threats, both external and internal, are promptly addressed.

More specifically, organizations are turning to a host of technology solutions (including Data Loss Prevention (DLP)) that leverage threat intelligence and advanced analytics to identify a broader range of insider threats, and do so before they can turn into a security incident or breach. These tools also employ automation technologies to stop malicious or negligent activity on organizational infrastructure, such as stopping users from downloading sensitive data to removable storage, automatically encrypting data within emails or inspecting content in real-time to prevent unauthorized exfiltration.

Security teams need the ability to conduct investigations to identify the root cause. Crucial to this process is the ability to reconstruct patterns and analyze behaviors via the analysis of granular data. This must be backed by context from applications, connected devices and behavioral patterns and must also be done while protecting the data privacy and confidentiality of each employee so users are only identified when necessary.

Employee education is critical within a robust cybersecurity strategy

Whilst technology goes a long way in creating a robust strategy against insider threats, ideally, employees will also be provided with training at the point of risk. This training will ensure that they can understand why they have been prevented from carrying out certain actions or that they might be in breach of security policy - and most importantly know the right way of doing things. Armed with this information, they can build their knowledge and experience about what constitutes best practice on an ongoing basis, adding a significant layer of proactive protection against the risks associated with accidental security breaches.

Given the total average cost of an insider risk rose from $15.4 million in 2022 to $16.2 million in 2023, organizations need to implement robust processes and technologies to minimize their exposure. Addressing insider threats demands a multi-faceted approach blending technology, training and corporate culture. With rising costs from insider threats, fostering a trust-based, security-conscious environment, coupled with advanced tech solutions, is essential for safeguarding both assets and reputation.

Image credit: Andreus/depositphotos.com

Chris Denbigh-White is CSO at Next DLP.