Insider threats: Don't underestimate the dangers within

As we look ahead to the coming year, Trellix Advanced Research Centre recently shared its predictions for 2024. Among them, it highlighted that as connected devices continue to proliferate, and hybrid and remote workforces persist, insider threats will only continue to grow.

This expected increase is especially worrying as research has already shown that breaches caused by employees have seen a 47 percent increase over the last two years, whether accidental or malicious. Annually, 34 percent of all businesses will suffer an insider threat incident, costing an estimated eye-watering $15.38m per occurrence, so the predicted increase is particularly frightening.

Generative AI in the wrong hands

If those numbers aren’t ringing alarm bells already, then consider what could happen now generative AI tools are getting into the wrong hands. Reports are circulating about AI prompts which drastically speed up the process of developing and distributing malware. Examples like ChatGPT and Bard make it easy to build a PowerShell socket listener, function by function, with worm-like capability to spread malicious code quickly across computers. 

Plus, other AI models are becoming popular with attackers, such as DarkBERT which can be repurposed for unlawful uses, and WormGPT which helps to write phishing emails and malware. These are the tip of the iceberg as, without a doubt, more tools are being adapted for criminal purposes which are yet to surface.

Not forgetting, there’s a thriving, illicit trade in stolen credentials and malicious scripts that execute malware and ransomware. This threat is exacerbated by criminals offering financial incentives to employees at target organizations for the necessary credentials to bypass corporate security, as witnessed during the LockBit2.0 breaches.

Accidental or deliberate, the damage is done

While a disgruntled employee might take money for supplying security information, a careless one could inadvertently cause equal damage. Phishing emails continue to catch people out despite the warnings, and vigilant staff can still make mistakes. Dangers are further amplified when businesses are working with legitimate third parties such as suppliers, contractors, business partners, or anyone who has access to systems across an organization’s network.

To strengthen the protection of consumers, regulations are becoming stricter, and fines are getting higher for those that don’t have sufficient security measures in place. But it’s not only about the detrimental effect of compliance penalties. There are other ramifications from breaches that could ruin a company, such as confidential IP being sold via illicit Telegram groups or personally identifiable information (PII) ending up on the dark web. Losses fueled by brand damage and reputational harm can grow to the point of bankruptcy.

No consumer will invest in services or purchase products that put themselves at risk. It's a simple logic that senior management and boards often overlook when assigning cybersecurity budgets. Start-ups in particular are prone to downgrading this risk, reasoning that the company is in scale-up mode and, therefore, somehow safer.

Unfortunately, no organization, whatever size or maturity, should think that it is immune to an insider threat. It remains one of the hardest risks to manage and mitigate without constraining the day-to-day activities of employees. However, some controls can be implemented to reduce their potential impact and maintain business continuity.

Be prepared for the worst

The most fundamental control to put in place is the adoption of a zero-trust methodology that assumes no device, user, service, or network can be trusted. Importantly, it must be backed up by comprehensive threat modelling to understand the extent of exposure to attacks. A zero-trust approach also aligns well with regulatory requirements, including GDPR and HIPAA, which require effective controls and audit trails to ensure data protection and privacy.

Having mapped out the likelihood and potential impact of cyberattacks, the next step is to create an incident response plan, even if it lacks technical playbooks. It is crucial to understand the chain of communication and the process to follow when a breach occurs. SMEs with limited resources should consider cybersecurity insurance and engaging with a consultancy to audit their incident response readiness. Knowing how to contain an incident internally, manage external communications, and meet compliance obligations are vital to being able to weather a breach. 

The next step for preventing attacks is to control access by adhering to the Least Privilege Principal Concept and deploying Role-Based Access Control. These methodologies and tools dictate how and why a particular entity should have access to systems and restrict this to what is necessary to complete their work.

Only after these measures are up and running, and a zero-trust culture is established, should security professionals look at adding further capabilities depending on the available budget, such as user behavior analysis (UBA), data loss prevention (DLP), and extended detection and response (XDR) solutions. 

Organizations that take a zero-trust approach to insider threats and foster a cybersecurity culture that follows these same principles will minimize the risk of attacks. Those who go further, and have a tried and tested incident response plan, can be more confident that their business will survive a breach, even if the worst does happen. Unfortunately, the unexpected does happen, and businesses need to be prepared to offset internal threats in 2024.

Image Credit: Andrea Danti/Shutterstock

Kamil Fedorko is Global Cybersecurity Practice Leader at Intellias.