What can organisations do to mitigate against Insider Threats?

What is an Insider Threat?

The term ‘insider threat’ is often associated with the idea of malicious individuals, be they current or former employees, intending to directly damage the business through theft or sabotage.

The reality is, however, that negligent and careless employees and contractors can unintentionally pose just as high a risk to the business as those who deliberately seek to cause damage.

Generally speaking, the term can be taken to mean any threat that originates from inside your organisation. This is naturally a very broad category of threats because it can include current and former employees, contractors, interns, senior executives and anyone else who has access to critical systems and information.

In the case of malicious insiders, these individuals, or groups if they are not acting alone, may misuse their access to networks, applications and databases to knowingly cause damage and disruption by erasing, modifying or stealing sensitive data.

Why do organisations need to be concerned?

One of the key takeaways from research into insider threat-related incidents is that both the frequency and cost of insider threats have increased significantly over the past two years alone. In 2018, the overall cost of insider threat-related incidents was $8.76 million

According to the 2018 Cost of Insider Threats report from the Ponemon Institute and Observe IT, the average overall cost of insider threat-related incidents was $8.76 million. This has risen by 31% to $11.45 million in 2020. Additionally, the number of incidents has increased by 47%, from 3,200 in 2018 to 4716 in 2020.

Types of Insider Threat

As we’ve discussed, insider threats are not always malicious in nature and in many insider threat-related instances, the actions are borne from negligence rather than malice: the Ponemon Institute’s 2020 Cost of Insider Threats Global Report, for example, found that 62% of insider threat-related incidents are the result of negligence. Negligence in this sense consists of inadvertent employee errors, such as falling for phishing scams or accidentally deleting files.

That said, however, whether employees are acting out of malice or negligence, insider threats pose a significant risk to organisations of all sizes and across all industries.

In order to further understand insider threats and why they represent such a risk to businesses, here we have broken the term down into further sub-categories. In doing so, this helps us to understand the motivations behind their actions.

1. Malicious insiders

This category of insider threat conforms most closely to the concept of an individual deliberately attempting to cause damage. The most common underlying goal for malicious and criminal insiders is financial reward or some other form of personal gain.

A Gartner report by Anton Chuvakin and Erik Heidt found that an overwhelming percentage (62%) of malicious insiders were ‘second streamers.’ They are so called because they look to create a second stream or supplementary income. Such individuals misuse confidential information to generate additional income through fraud, external collusion or providing competitors with trade secrets and information that undermines the organisation’s negotiating power.

So-called ‘second streamers’ may also exhibit a level of sophistication in order to avoid detection, especially since their ultimate aim is to remain with the organisation and continue to profit. For example, they may exfiltrate data slowly and in very small quantities rather than completing large data exports which may be identified by anomaly detection and network monitoring tools.

Although malicious and criminal insiders are often the most high-profile and reported cases, according to the Ponemon Institute, they compromise only 23% of overall incidents.

The term ‘malicious insiders’ also applies to infiltrators who join an organisation with the specific intention to launch an attack, accessing or stealing sensitive data or other nefarious exploits.

2. Compromised employees

A compromised employee is one who has been the victim of a cyber attack and whose credentials may have been intercepted, or device compromised. This type of insider threat can pose the biggest threat to the business because both the individual and organisation may be unaware of the breach.

Individuals who fit this category may generally exhibit secure behaviour and comply with information security policies, but make isolated errors, often not realising their mistake until it is too late. Basic misjudgement, such as storing intellectual property on an insecure personal device, falling for a phishing campaign, mishandling data, installing unauthorised applications on devices and the use of unapproved workarounds all fit into this category.

Simple negligence is the most common form of insider threat: the Ponemon Institute’s 2020 Cost of Insider Threats Global Report found that 62% of insider threat-related incidents are the result of negligence. As this type of incident is the most frequent, the total costs can amount to a staggering average of $4.58 million per year within each organisation.

These actions are inappropriate as opposed to malicious and many of them fall within the world of Shadow IT (i.e. outside the knowledge of IT and security teams).

3. Careless employees

Careless, or negligent users are ideal targets for attackers. Individuals who consistently behave in insecure ways and remain unresponsive to cyber security awareness and best practice training fall into this category. While these users may not intend to behave negligently, they represent one of the riskiest user groups since their behaviours can fit consistent patterns. Individuals with a history of falling prey to phishing campaigns are more likely to be phished again.

If a senior executive or VIP who has privileged access to information systems is a persistent non-responder, this could have catastrophic impacts to the business. Theft of a privileged user’s credentials is the costliest type of credential theft for organisations. Annually, these types of incidents cost organisations an average $2.79 million.

What can organisations do to mitigate against insider threats?

While insider threat may be complex, costly and challenging, it is not impossible to defend against. Download our eBook, ‘Detecting the enemy within’ for comprehensive guidance around developing your insider threat detection and mitigation strategy.

About the author

Brad Freeman, Head of Threat Analysis, Senseon

Brad is an expert in his field, with over a decade’s experience conducting nationally significant cyber security investigations across the critical national infrastructure and telecommunications sectors. Drawing on his extensive industry experience and knowledge, Brad leads the threat analytics team at Senseon, and specialises in finding and uncovering advanced actors deeply embedded within clients’ infrastructure. Senseon.