In the 1999 workplace comedy classic Office Space, three disgruntled employees devise a plan: they will plant a virus in the company’s financial system, which siphons fractions of a cent from each transaction and deposits it in one of their bank accounts. Since the transactions are so small, the men are convinced that no one at the company will notice, but of course, a decimal is misplaced, and things go awry. While the movie hilariously depicts an insider threat, this type of threat is no laughing matter in the real world.
As we discussed in a previous post, an insider threat is a security risk that comes from within an organization. The threat actor could be a current or former employee, contractor, or third party using their legitimate privilege or access to company facilities, networks, data, or other sensitive information to intentionally or unintentionally harm a business. When compared to external threats, insider threats are far more dangerous because they already have the keys to the ‘kingdom’ and ample opportunities to wreak havoc.
Top Three Causes of Insider Threats
According to IBM’s The Cost of Insider Threats, the three most common root causes for insider threats come from employee or contractor negligence (63%), credential theft (23%), and criminal and malicious insiders (14%).
- Employee or contractor negligence
Employee or contractor negligence boils down to one thing: human error. Humans are fallible, and in today’s fast-paced world, where employees are juggling numerous responsibilities, working on multiple projects, and trying to multitask, carelessness and accidents are rampant. An insider threat of this type could stem from emailing confidential information to the wrong recipient, falling victim to a phishing scam, or a misconfigured system.
- Credential theft
As it’s more challenging to achieve, credential theft happens less often but stealing an employee’s credentials is a hacker’s golden goose. If a threat actor manages to get the credentials of an admin or other employee with high-level access, they can easily enter a company’s environment and move through it without being detected. Of all three causes, credential theft has the highest per-incident cost.
- Criminal and malicious insiders
While criminal and malicious insiders are the least common cause of insider threats, they are perhaps the most dangerous because these threat actors have intimate knowledge of the company’s infrastructure, IP, data, and security practices. Of the many known incidents, malicious insiders often steal data or company secrets or launch attacks that sabotage competitive edges or cause irreparable reputational damage.
How to Deal With Insider Threats
Insider threats are increasing at a mind-bending pace. Protectera research found that in 2018, 53% of companies reported experiencing between 21 and 40 plus incidents per year; that number rose to 60% in 2020 and 67% in 2022.
Given that insider threats can lead to critical data loss, company-wide downtime, brand damage, legal ramifications, and more – all on top of the remediation costs – having a strategy to protect against these threats is more than imperative. So, what types of practices should be in place?
Establish robust and enforceable policies
One of the best ways to prevent and minimize insider threats is to have strict security policies in place and ensure every employee knows about them and follows them without fail. These should cover at least the following:
- Password management policies - Document how credentials are created, used, disabled, and deleted. The basics of this policy should include requiring complex passwords that have never been used before, requiring MFA, limiting login attempts, setting a maximum password age, and setting systems to log off after a few minutes of inactivity.
- Privileged access policies - Provide each user with only the access they need to perform their tasks and for only the amount of time necessary. Keep a detailed, up-to-date list of privileged accounts and avoid shared admin accounts. Additionally, instead of having privileged accounts without limits, follow the separation of duties principle.
- User monitoring policies – Enable monitoring and logging for all critical systems, including identity and access management (IAM) platforms and intrusion detection solutions. Be sure to use a system that monitors privileged activity and sends management real-time alerts about critical actions.
- Account management policies - Detail and document the rules governing how user accounts are created, managed and deleted, and the guidelines for when authorized privileges are granted or revoked. Also, include a process for how users should establish account rights.
Conduct enterprise-wide risk assessments
Security teams should run annual assessments to identify all critical assets and vulnerabilities, keeping in mind how insider threats could compromise those assets. Each asset should be assigned a risk profile, and those ranked highest should garner the most attention in terms of allocating resources toward risk mitigation.
Keep employees sharp and restrict physical access
Raising employee awareness and training teams is one of the most vital defense tactics, especially when it comes to negligent behavior and insider threats. Make sure to keep employees abreast of common threats and scams and any new methods hackers might be using.
Tightening every aspect of physical security can also eliminate potential threats. No unauthorized people should be allowed in offices, and server rooms should always remain locked. Employees should have secure places to store any devices that have sensitive information, and in extreme cases, companies may want to check employee bags to ensure nothing is removed from the building.
A Threat is a Threat is a Threat
Security threats are at an all-time high, and SMBs remain particularly vulnerable, with 61% experiencing one last year. Although they often get less attention, insider threats can be just as dangerous and costly as external threats and should be treated with the same vigilance.
Since insider threats are significantly harder to detect, having a 24/7 monitoring and incident response (IR) solution in place can help security teams mitigate insider threats by proactively monitoring systems, detecting any suspicious activity, and responding according to predefined IR policies. In the end, security teams need to prepare for every threat equally, closing all gaps and eliminating all known vulnerabilities to the best of their ability, as threats will continue to come from every direction and can happen anytime.