Two trends in recent years are combining to exacerbate insider threat risks at companies. First, companies continue to foster cultures of openness and collaboration that often run contrary to the needs of a security-oriented mindset. Second, the mainstreaming of hybrid work has made companies’ control over data and device usage during work more tenuous.
Addressing insider threats
We’ve seen repeatedly that companies have the tools, structural choices, and decision-making power across their organisation to combat insider threats. But those tools and processes often exist in silos, preventing CSOs and CISOs alike from seeing the full picture, and thus causing important signals to go unnoticed or worse, missed.
Over the next year, we’ll see increased collaboration and cooperation among CSOs and CISOs and their teams to join forces and take down arguably their common number one enemy: insider threats.
How significant is the problem?
To properly conduct an investigation, one must be radically focused on recognising cyber-physical security risk
If we have learned one important thing in the last several years, it is this - To properly conduct an insider threat investigation, one must be radically focused on recognising the convergence of cyber-physical security risk indicators, and therefore no stone can go unturned.
In discussions I’ve had with leaders in the human resources (HR), legal, cybersecurity, and IT and security departments of major corporations, there’s a growing awareness of insider threat risks. Statistics help bear that out.
Cybersecurity threat risk
The cost of a cyber insider threat attack rose from $11.4 million in 2020 to $15.3 in 2022, according to research from the Ponemon Institute, which focuses on cybersecurity. And it often takes months for these schemes to be detected.
What is the main driver of risk from insider threat? Fraud and Intellectual Property theft are often a motivator for an insider acting out, according to data cited by the Cybersecurity and Infrastructure Security Agency.
Exploiting security weakness
It’s not surprising that banking and financial services organisations are near the top of the list when it comes to being at risk of insider threats. Additionally, Theft of IP accounted for more than 20% of insider threats at healthcare organisations, while sabotage made up more than half of insider incidents at IT organisations.
Another important risk that cannot be ignored is the protection of critical infrastructure and the collateral damage associated with those types of attacks. They are not only debilitating, but the actors are also often much more sophisticated, and will often exploit the security weakness of an honest employee or contractor to gain access to the organisation.
Encouraging cooperation
Insider threat prevention requires cooperation. In theory, it’s everyone’s job. In practice, individual teams have mission-focused tunnel vision which often prevents them from working together more effectively.
Example 1
Employees engaged in ongoing fraud often skip vacations fearing that colleagues assuming their duties will uncover their theft
I’ll give you an example. One indicator of an insider threat is employee disengagement. The opposite is also true. Employees engaged in ongoing fraud often skip vacations and sick days, fearing that the colleague assuming their duties will uncover their theft. These are concerns for HR and audit functions.
How likely is it that HR is going to discuss with the security team that someone has skipped vacation for several years running, or that another person has suddenly started turning in a sub-par work product?
Example 2
Another example: an employee on a performance improvement plan suddenly begins downloading large amounts of data, sometimes circumventing document handling controls.
Is the cybersecurity team familiar enough with that employee’s duties to know that this behaviour is unusual?
Utilising technology
My point is that in case after case of an insider threat incident, it’s quite common for an organisation to have missed several opportunities to identify risks because teams aren’t disseminating information efficiently, even though they may already have the tools to uncover indicators of compromise.
Executives are starting to realise that technology can help manage these threats and help get people on the same page. Technology needs to be supported by training and education to help everyone understand what to look out for to better understand the nuanced indicators of risk. Only teamwork can bridge the gap.