As today’s organizations ramp up their efforts to defend against external cybersecurity threats, the greatest risk actually comes from those inside the company. In fact, insiders are responsible for more than half of all data breaches[i]—posing a real threat to almost every business.
The Rising Cost of Insider Threats
So who exactly are insiders? And why should your company be concerned? In a nutshell, insiders are anyone with access to a company’s internal systems who willingly or accidentally misuse, modify, or delete sensitive data. This can include employees, independent contractors, third-party vendors, and supply chain partners.
To understand the damage insiders can wreak, look no further than Tesla, where an employee allegedly shared company trade secrets outside the organization. The former employee was sued for hacking Tesla’s manufacturing operating system and transferring gigabytes of data to outside entities, including dozens of confidential photographs and a video of Tesla’s manufacturing systems.[ii] He is also accused of periodically exporting data from Tesla’s network to third parties even after he left the company. Tesla said the former employee was acting in retaliation after he was involuntarily reassigned to a different role within the company.[iii]
Likewise, an ex-Apple employee was charged with stealing intellectual property regarding Apple’s self-driving car program and sharing it with Xmotors, a competitive company that hired him in China. The employee allegedly took Apple documents, air-dropping some of them from his phone to his wife’s laptop. He also allegedly stole a box of hardware including circuit boards and a Linux server. Apple noticed the breach after discovering that the employee’s network activity had “increased exponentially” after a return trip from China.[iv]
These are just two of many examples of how insiders can compromise an organization. As more companies embrace remote work and digital work environments, insiders are accessing and storing company data on a wide variety of personal devices and cloud storage sites, creating a new set of cybersecurity challenges that are difficult to identify and manage.
Indeed, the number of insider-caused cyber security incidents has increased 47% in just two years from 2018 and 2020, according to Ponemon Institute.[v] What’s more, the average annual cost for insider threats has grown to an astounding $11.45 million.[vi]
Types of Insider Threats
Insider threats aren’t a technology problem; they’re a people problem. And the people who compromise a company’s data can do so either accidentally or maliciously. Insider threats can generally be grouped into three categories of people:
- Negligent employees and contractors: The most common type of insider threat results from careless employees and contractors. Perhaps an employee didn’t abide by the company’s security policies. Maybe they skipped the request to set up multi-factor authentication. Or perhaps they stored data on their personal device or private cloud. Megligent employees account for the majority of insider data breaches, with the average incident costing organizations about $300,000.[vii]
- Disgruntled employees: Employees can become disgruntled for many reasons including being passed over for a promotion, conflicts with managers or co-workers, or being terminated from the organization. While most employees simply move on, some employees may take revenge on the company by stealing data or sabotaging its systems and information.
- Criminal insiders: These insiders typically steal sensitive data and intellectual property for financial gain. Sometimes they’re recruited by cyber criminals to take a position within a company. Other times, they act on their own, selling a company’s sensitive information on the black market. While criminal insiders are the rarest form of insider threat, they can also cause the most financial harm. According to the Ponemon Institute, the average cost per incident involving an imposter or thief who steals credentials is more than $870,000.[viii]
The High Stakes of Insider Threats
Because insiders are trusted employees who are often granted access to sensitive data, insider attacks can be difficult to uncover. On average, it takes companies 77 days to detect an insider incident[ix]—giving employees and contractors ample time to cause harm before the company notices and responds.
Insiders can damage an organization in many ways. Accidents can happen when employees unwittingly store their credentials in an unsafe place, and a cyber attacker than steals them. And malicious insiders can cause hundreds of dollars in damages through a variety of spiteful actions. They can maliciously steal a company’s intellectual property that took years to develop, robbing the company of its competitive advantage. They can sabotage a company’ systems or data, disrupting the organization’s operations. And they can harm an organization’s reputation by taking sensitive data and selling it for profit.
Whether accidental or malicious, insider attacks can result in lost customers and investors, ultimately compromising a company’s market share and its overall revenue.
How to Prepare
As the number of insider attacks continue to increase, they’ve now become more common than you might think. Indeed, 61 percent of organizations reported at least one insider attack over the last 12 months, according to one survey, with 22 percent reporting at least six separate attacks.[x] And while these attacks are increasingly common, unfortunately, less than 20% of organizations have implemented a specific program to prevent insider threats.[xi]
So how can your company prepare? Consider the following best practices:
- Form a team to focus on insider threats: The practice of protecting your organization from insider threats is different from defending against external cyberattacks and should be treated as a separate effort. Obtain CEO and board-level buy-in for this effort and then establish a separate team to manage it. The team can be small, but all of the participants should be highly trustworthy and able to work with business leaders from across the organization. Some organizations have this team report to human resources, whereas others assign it to their chief security officer. Whatever works best for your organization, make sure you invest in training so the team understands the ins and outs of managing malicious insiders.
- Establish the rules of operation: Set the framework for the team’s activities including how you will monitor employee activity and what types of circumstances will trigger an investigation. You’ll also need to establish how your organization will investigate suspected insider incidents, escalate them, contain them, and repair the organization’s systems and business processes should an insider attack occur.
- Classify your data and users: All company data should be classified according to risk, with personal data, health-related data, credit card data, and intellectual property assigned the highest levels of classification. Likewise, users should be grouped by their role or function within the organization, with sensitive information granted only to those who need it to perform their jobs.
- Implement strong password policies: Create and enforce strong policies to control user access and protect against credential theft. This should include multiple-factor authentication to create multiple layers of protection. It should also include the use of complex passwords and frequent password changes.
- Encrypt and backup your data: Be sure to encrypt sensitive data, while limiting who has the keys to decrypt this information. In addition, protect your organization from deleted data by backing up critical data and controlling access to these backups.
- Educate your employees: Regularly train employees, contractors, and third-party vendors about the risk of insider threats and your organization’s policies to protect against them. Let your employees know how your program works, and enlist them to report suspicious activity and help the organization protect against these threats.
- Learn to spot suspicious activity: Make sure you understand the indicators that can help you uncover insider threats. These can include unusual requests for access, repeated failed logins, a sudden increase in user privileges, storing and downloading large quantities of data, and transmitting data to unauthorized physical storage devices such as USB drives and CDs. By knowing what to look for, your insider threat team will be better prepared to battle these threats.
- Use technology to monitor access unusual behavior: Implement technology that can detect behavior that fails to align with your organization’s specific policies, while instantly alerting your team to suspected incidents. This technology should be able to track and tag sensitive data to determine who is accessing and downloading it. Is should also be able to collect, analyze, and report suspicious user activity so you can identify user threats before they harm your organization.
- Respect employee privacy: The vast majority of insiders behave honestly and should be treated as such. If you notice unusual activity, make sure to protect the employee’s identity until you’ve discovered enough evidence to launch an investigation. Don’t discuss the investigation outside of your insider threat team. And don’t accuse an employee until you’ve completed the investigation. There are a lot of false positives, and every employee deserves to be treated as a trusted member of the organization until there’s overwhelming evidence to the contrary.
Protecting your business.
As insider threats damage businesses with greater frequency and severity, it’s critical for companies to guard against these types of cyber security risks. With the right strategy and technologies in place, today’s businesses can maximize employee productivity while defending their organization against these increasingly devastating attacks. Learn about SailPoint Identity Security.
[i] Code42, “Tackling Insider Threat with Data Loss Protection,” https://3qmwh315nk51z8bsi30vjk11-wpengine.netdna-ssl.com/wp-content/uploads/2020/04/Tackling-Insider-Threat-with-Data-Loss-Protection.pdf
[v] Ponemon Institute, “2020 Costs of Insider Threats Global Report,” https://www.proofpoint.com/sites/default/files/2020-04/gtd-pfpt-us-tr-ponemon-institute-2020-cost-of-insider-threats.pdf
You might also be interested in:
Take control of your cloud platform.
Learn more about SailPoint Identity Security.