The Trojans figured out that it’s much easier to open a gate from the inside rather than try and batter it down from the outside, and your organization is no different. Insiders may be using the same tactics as the Trojans did all those years ago on your organization today. In this article, we will explore what insider threats are, why they often fly under the radar, and why you should care.
Insider Threats In Brief
As you might infer from the name, insider threats are security risks that come from within the organization. The word “insider” refers to any individual who has intimate knowledge, and or access, to the processes of your organization’s personnel, facilities, or systems like networks or equipment.
Insider threats are particularly insidious due to their stealthy nature; as the saying goes “keep your friends close, and your enemies closer.” This saying is essentially the modus operandi of the inside attacker (although as we will see soon it may not even be malicious!).
The Insiders Profile
Not all insider attacks are created equal, and as we briefly noted in the previous section, some are not even intentional. Generally speaking, you can break down insider attacks into two categories, unintentional and intentional.
These types of attackers are unaware that they may even be an insider threat. Generally, they derive from human error. A staff or contractor clicks on a malicious phishing link (or even inadvertently befriending bad actors, for example through romance scams) giving external attackers access to sensitive databases or locking the system by inadvertently installing ransomware, would fall under this category.
The second kind of unintentional attacker is a negligent staffer, contractor, or vendor that is fully aware of security policies and procedures but chooses to ignore them, not for malicious reasons but perhaps out of laziness or carelessness.
An IBM study found that insider negligence alone cost businesses an average of $4.58 million yearly (total costs reaching $11.5 million), a trend that is only looking to increase over the years, with a 31% growth already in the past two years.
The second type of attacker is the intentional or malicious insider. These insiders are deliberate and targeted, using their privileged access to drop malware payloads, ransomware, or outright clone and steal sensitive data on key systems.
This attacker’s purpose is for personal or financial gain. It may come from a disgruntled employee who may have felt they were treated unfairly, or by an actor who purposefully joins the organization with the intent of causing damage.
The results are usually further reaching than external attacks because the perceptions of insider attacks are not as favourable, in the public domain, like those that come from external attacks (reputational damage can be higher when it comes from an insider).
Insiders Fly Under The Radar
Insider risks are often the most overlooked aspect of an organization’s threat analysis, which means they can often go unnoticed for quite some time. There are two reasons for this:
- Building a Distrustful Environment: The Trojans did not want to refuse a gift from the Achaeans which inevitably led to their downfall. In a way, organizations are similar, by committing resources to fighting insiders it may be misinterpreted as management not trusting those they hire. So rather than building a “perceived” distrustful environment, insider threats are left to chance.
- Lower Perceived Priority Over External Attacks: Big-ticket security breaches often involve headlines of big organizations falling prey to external attacks. Just think of the latest ransomware attack that crippled the Colonial Pipeline in the United States, which generated massive interest. The result of the bias the media has toward external attacks often results in organizations putting in a disproportionate amount of resources into perimeter security like endpoint hardening, next-gen firewalls, HSMs, and a plethora of anti-virus software.
Ironically, the Colonial Pipeline attack may have been the result of an unintentional insider attack through leaked employee credentials. But because the focus of the attack was on ransomware created by a group known as DarkSide, organizations might not associate it with insider threats.
Why You Should Pay Attention To Insider Threats
The nature of insider threats coupled with their often overlooked nature is a recipe for disaster. This recipe often leads to results that are more damaging than organizations may originally think and below you will find some reasons for this.
Ease of Access
Perhaps the most obvious reason as to why insider threats are so damaging is the ease of access the attacker has to sensitive systems (this would also apply to unintentional breaches).
One of the biggest challenges attackers face when breaching externally is bypassing identity and access management systems. Furthermore, larger organizations and some SMBs will have some technical security controls in place such as firewalls, restricted or secured ports, hardened endpoints, and or enterprise VPNs. All these factors can make a big enough challenge for attackers to deter them from attempting.
However, exploiting internal assets, such as staff or privileged accounts make it much easier to reach secured databases containing sensitive or business-critical data (hence the success of phishing attacks and use of stolen credentials).
So, while you should take the necessary technical precautions to mitigate external threats, organizational security controls should work in tandem to scope out and limit insider threats too.
Compliance and Regulations
The cybersecurity regulatory environment is constantly shifting to keep up with the changes in the threat landscape, and insider threats have not gone under the radar. The hardest hit industry from insider threats, according to an IBM report, is the financial services industry.
The gaps within the security architecture have led the Federal Financial Institutions Examination Council (FFIEC) to take action by creating the cybersecurity and critical infrastructure working group (made up of individual agencies within the financial services industry). The working group, and subsequent framework, take into account the threat of insider attacks and require the industry to take action in active prevention.
However, this is not the only regulation in the works, already established critical infrastructure regulations like the NERC cybersecurity standard require bulk energy suppliers to take all necessary precautions to counteract security threats (including insider threats).
Furthermore, consumer-orientated privacy regulations (like the GDPR and the CCPA) are requiring both organizational and technical measures to be put in place to limit the privacy risks associated with processing your customer’s personal data.
Explosive Growth In The Insider Threat Landscape
We briefly mentioned the increase of costs associated with insider attacks, however, the truth of the matter is that the frequency of attacks is also increasing.
Since 2018 there has been a 47% increase in insider attack incidents, and while most are coming from negligent employee behavior, credential theft is costing organizations the most (at around $2.7 million for privileged account credentials).
Interestingly, another published research paper has analyzed a concerningly growing number of laptop thefts targeting organizations. This research found that around 600,000 laptops are stolen in the U.S. yearly, with over 80% of cases committed by employees. In that 80%, around 10-15% are specifically targeting sensitive or business-critical information that may be stored on the laptops.
These harrowing statistics are only compounded when the average time to contain an insider threat averages around 77 days. This is ample time for attackers to infiltrate neighboring information systems, creating a cascading breach scenario.
External threats get lots of attention for several reasons, while internal threats are both less exciting to talk about in the news and are embarrassing for organizations (hence covering up many internal attacks). The rise of costs and number of incidents should raise major indications as to the necessity of an insider threat plan.
The simultaneous rise in the number of incidents and costs is only justifying the need to treat insider threats with more attention. No company likes to “air out dirty laundry” and reveal how their own people are responsible for such significant damage, leaving the news and public high and dry as to how serious insider threats really are. Internal threats should be viewed as just as threatening as external threats, only that those internal threats already got passed all your security walls and are just waiting to execute.