Uncovering the cyber threat within
All Internet-connected businesses need insight into one of the fastest growing cyber security problems − the threat from within an organisation.
Insider threat is fast becoming the most feared threat vector that modern Internet-connected businesses face. We are required to transact online and this brings a whole slew of new risks to businesses.
Even just one insider posing a threat is a major concern for every organisation employing staff − whether it be SME, large corporation, or public sector. It's a growing issue that many companies would prefer not to acknowledge. What is more worrying is the fact that these threats sometimes become very public, with resultant financial and reputational damage to the victims.
According to the Ponemon Institute's 2020 Cost of Insider Threats, Global Study, the average financial impact, worldwide, of this type of threat is reported to have risen to $11.45 million in 2020, which represents a staggering 31% increase.
Moreover, the frequency of incidents spiked by 47% over the same period. The report provides a detailed analysis of the primary cost centres for insider threats, as well as the most impacted industries, company sizes and regions.
- Containment is reported as the highest overall cost centre for organisations, at an average of $211 533 per company, annually.
- The fastest-growing cost centre is revealed to be investigations, costing organisations 86% more than they did only three years ago.
- The longer an incident lingers, the costlier it gets.
- The average incident takes 77 days to contain. Incidents that took more than 90 days to contain cost organisations an average of $13.71 million on an annualised basis.
The study then measured this cost through seven components of a security programme: monitoring and surveillance, investigation, escalation, incident response, containment, ex-post analysis and remediation.
Know what your assets are and be aware of who has access to them.
Among these many cost centres, it was found the cost of investigation was growing the most rapidly, with an 86% increase in three years. In fiscal year (FY) 2020, the average investigation cost is $103 798 per incident. In FY 2018, this number was just $73 398, and in FY 2016, it was as low as $41 461 − illustrating dramatic and sustained cost increases. The report defined investigation as “activities necessary to thoroughly uncover the source, scope and magnitude of one or more incidents”.
The Ponemon Institute defines insider threats as: a careless or negligent employee or contractor, a criminal or malicious insider, or a credential thief.
In the 2019 Verizon Data Breach Incident Report, attention is paid to the types of insider threats which organisations face. It profiles five insider personalities which are defined as:
- The careless worker: These are employees, or partners, who misappropriate resources, break acceptable use policies, mishandle data, install unauthorised applications, and use unapproved workarounds. Their actions are inappropriate as opposed to malicious, many of which fall within the world of shadow IT; ie, outside of IT knowledge and management.
- The inside agent: Insiders recruited, solicited, or bribed by external parties to exfiltrate data.
- The disgruntled employee: Insiders who seek to harm their organisation via destruction of data or disruption of business activity.
- The malicious insider: These are employees, or partners, with permission to log into corporate assets and who use existing privileges to access information for personal gain.
- The feckless third-party: Business partners who compromise security through negligence, misuse, or malicious access to, or use of, an asset.
The Verizon 2019 Data Breach Incident Report provides practical advice and counter-measures to help organisations deploy a comprehensive insider threat programme.
Two factors hold the key to this success: Know what your assets are and be aware of who has access to them.
According to Verizon, an effective identity and access management framework includes core processes, plus supporting systems, and is governed by stated policies. The report goes on to state the primary goal of access management is to approve and assign access privileges, manage changes and monitor the access environment. This ensures alignment with the needs of the business and helps reduce the risk to organisational assets.
The Verizon report advises that periodic reviews of identities and associated access logs are essential to find, and quickly correct, inconsistencies in access privileges and identity definitions.
However, businesses are not powerless. From preparation to mitigation, detection to response, the insider threat report provides extensive guidance on addressing risks from within, including:
Preparation and mitigation:
- Control and restrict access to trade secrets, customer data and other proprietary information on a need to know basis.
- Increase monitoring and logging of sensitive areas, systems and data.
- Monitor behaviour, including use of external storage devices, cameras and smartphones in sensitive areas.
- Disable access for activities deemed inappropriate, malicious, or otherwise posing organisational risk.
Under detection and response, the following is advised:
- Monitor suspicious network traffic such as unusual off-hours activity, volumes of outbound activity and remote connections.
- Keep baseline system images and trusted process lists; compare these standards with compromised systems.
- Temporarily block outbound Internet traffic, change user account passwords and search for indicators of compromise.
- Disable compromised user accounts, remove malicious files and rebuild affected systems.
The insider threat report offers many more counter-measures that can be taken to reduce potential risks − and avoid becoming yet another cyber crime headline.
In my next Industry Insight, I will reveal the building blocks for an effective insider breach detection programme.
CTO of DRS, a Cyber1 company.
Andrew Sjoberg is CTO of DRS, a Cyber1 company. He is a graduate of the University of Witwatersrand. Post-graduation, his early experience included the implementation and management of technologies in the banking and finance arenas. Sjoberg then moved into the cyber security technology space, where over the past 19 years he has worked at the cutting-edge of the industry, staying abreast of trends, and delivering best of breed services.
Andrew Sjoberg is CTO of DRS, a Cyber1 company. He is a graduate of the University of Witwatersrand. Post-graduation, his early experience included the implementation and management of technologies in the banking and finance arenas.
Sjoberg then moved into the cyber security technology space, where over the past 19 years he has worked at the cutting-edge of the industry, staying abreast of trends, and delivering best of breed services.His responsibilities at DRS include integration, innovation and specialisation services, as well as driving the guiding principles of the company's service excellence in delivering and supporting cyber resilience strategies to clients.