The rise of the insider threat: Protecting your data from the inside out

Rob Bolton, Senior Director for Insider Threat Management at Proofpoint

Johannesburg, 01 Mar 2021
Read time 5min 40sec

Cyber security professionals globally spend the majority of their time focusing on keeping threats out. And with good reason. The threat landscape is constantly evolving. Keeping pace with – or even better, ahead of – external threat actors is vital to ensure the overall security of your organisation.

However, not all threats come from the outside in. Insider threats are on the increase and continue to affect organisations globally. Just like external threats, those that stem from the inside have the potential to cause significant damage.

Insider-led incidents can result in loss of sensitive data, financial loss and reputational damage, just to name a few. According to a recent study from The Ponemon Institute, insider threat trends show the number of incidents has increased by a massive 47% since 2018, costing organisations an average of $11.45 million a year globally.

Understanding insider threats

Not all insider threats are malicious. The first step in combating insider threats is to understand exactly what drives an insider to pose a threat to your organisation. Motivating factors can generally be grouped into three categories:

  • Unintentional: From installing unauthorised applications, using non-approved productivity tools, or misplacing equipment or re-using passwords – careless employees can pose a serious threat to your organisation.
  • Emotionally motivated: Threats of this nature are posed by employees with a personal vendetta against your organisation. Emotionally motivated malicious insiders may seek to cause damage to your reputation by leaking privileged information or disrupting internal systems for maximum inconvenience.
  • Financially motivated: There are many ways to profit from privileged access, be it through the leaking of sensitive data, selling access to internal networks or disrupting internal systems in an attempt to affect company share price.

Whatever the intent behind them, insider threats can occur at any level of your organisation. With that said, actions that take place lower down the business hierarchy may be harder to detect.

Why insider threats should be on every security team’s radar

The next step in keeping ahead of insider threats is understanding why they’re such a prevalent risk. Here are a number of reasons why emerging insider threats trends should be on every security team’s radar:

Opportunities for insider attacks have increased

Insider threat incidents have risen for three primary reasons: increased opportunity, dedicated focus and improved detection. The increase in cloud-sharing platforms – due to and prior to the shift to global remote working – for business have transformed insider data theft. They give malicious insiders nearly limitless cloud storage to move data outside of what was traditionally a protected environment.

The good news is that more organisations are recognising insider threat risks and have built dedicated insider threat programs for incident detection and response. In addition, new, dedicated insider threat management tools have arisen in response to these people-centric threats.

The attack surface for insider threats is wider

Insiders are people who have access to sensitive data and systems. This can include employees, third-party contractors, supply chain vendors and more. Insider incidents typically occur in three forms: careless or accidental insiders, compromised accounts or malicious insiders. The more people with access to sensitive information, the less an organisation can control. As a result, the attack surface for insider threats increases (whether they’re accidental or malicious).

Each of these types of insiders is difficult to detect because they are using seemingly legitimate systems or applications the business provides along with valid user credentials. Detecting these threats requires focused effort and technology that can detect unusual or malicious user activity.

Malicious insiders have many motives

While there are many motives for insider threats, financial gain is one of the primary reasons. Beyond financial gain alone, other motives include:

Personal gain: For example, taking intellectual property or customer data to a new employer. Some insiders act because they feel entitled to information related to work they’ve done for their current employer.

External influences: Influences like nation-states (think corporate espionage) or personal beliefs (political or religious) may motivate insiders to act.

Emotions: Angry or disgruntled insiders may sabotage systems or data to get revenge on an employer, manager or coworkers. Or, some insiders may snoop on executives or customers in order to leak or “dox” that information externally.

COVID-19 has changed the threat landscape

The pandemic has impacted workers globally in different ways. Many people are under stress due to the fear of getting sick, the potential impact to employment and risk to their financial futures. These stressors are reasons why insiders may act maliciously.

As a result, COVID-19 has changed the threat landscape for organisations. The rapid move to work from home for many workers has challenged organisations to employ the same security controls they use when employees are attached to corporate networks. Some behavioural monitoring tools became virtually useless because employee behaviour changed drastically, throwing their models off. Users may not be as careful with data when working remotely and can be distracted, leading them to make poor security decisions.

What’s more, many external attackers are using COVID-19 as a lure to send phishing e-mails to users to steal credentials. Distracted users are more vulnerable to these types of social engineering attacks.

Context is needed, but not easy to get

Insider threat is a people problem. Most security programs are geared towards stopping external actors using a variety of technical controls and detection tools. Insider threat trends show that insiders are different because they already have legitimate access to systems and data, and therefore look mostly like normal users but with different motivations.

The most important thing for security teams to consider with insiders is the context in which the insider is acting. A people-centric security solution that monitors a combination of user activity, data activity and threat context is most effective in detecting and responding to unusual or malicious activity. Insider threat management platforms can also be used to gather evidence during an investigation. This evidence may be used to support corrective action against an employee or in the case of litigation, to ensure you protect your data and your business from threats from the inside out.