Are you trying to figure out how to keep insider attacks out of your company? Look no further, as this article will teach you how to defend your organization against insider threats from the roots.
Modern businesses rely on lots of people to perform smoothly. Hundreds of thousands of people have access to sensitive organization data at any moment. However, these people include workers, former workers, vendors, partners, and contractors. These points of access are indicated as insider threats in cybersecurity terms. People with special authorization to access information, data, and resources in an organization are known as insiders. They can utilize this access for their profit.
What are Insider Threats
An insider threat is a kind of cyberattack emanating from an individual who works for an organization or has authorized access to its systems. An insider threat could be an existing or prior employee, consultant, board member, or business partner and could be intentional, unintentional, or malicious.
Generally, an insider threat in cybersecurity refers to a particular person using their authorized access to a company’s data and resources to ruin the organization’s equipment, information, networks, and systems. It also includes corruption, undercover intelligence, degradation of resources, sabotage, terrorism, and unauthorized information leaks. It can also be a beginning point for cybercriminals to launch malware or ransomware attacks.
These threats are highly expensive for organizations. According to the research of the Ponemon Institute in 2020 found that these attacks cost an average of $11.45 million and that 63% of these threats result from employee negligence.
Types of Insider Threats
Malicious Insider
A contractor or employee who knowingly searches to steal information or disrupt systems. It may be an opportunist looking for methods to steal vulnerable information that they can sell or which they utilize in their career. Moreover, a disheartened employee was searching for ways to hurt an organization, punish, or embarrass other employees. An instance of a malicious insider is the several Apple engineers who were charged with data theft for stealing driverless car secrets for a China-based company.
Negligent Insider
A non-responsible employee who does not properly follow IT procedures. For instance, an individual who leaves their computer without signing out or an administrator who did not reset a default password or failed to apply a security patch. Such an example of a negligent employee is the data analyst who, without permission, took home a hard drive with sensitive data from 26.5 million US military veterans that was stolen in a home burglary.
Compromised Insider
A common instance is an employee whose computer has been infected with malware. It typically happens through phishing scams or by clicking on links that cause malware downloads. Compromised insider machines can be used as a central hub for cybercriminals, from which they can scan file shares, increase privileges, harm other systems, and more. In the recent case of the Twitter breach, where attackers used a phone spear phishing attack to obtain access to employee credentials and their internal system. The attackers managed to collect information regarding Twitter’s processes and target employees with access to account support instruments to hack high-profile accounts and also do a cryptocurrency scam that earned $120,000.
Insider Attacks Statistics: How Big is the Issue?
These threats are a flourishing problem, as evidenced by a recent global report of Ponemon cost of Insider threats 2020.
- Every year, 60% of organizations face more than 30 insider-related incidents.
- 62% of the insider-associated incidents were caused by negligence.
- 23% of the insider-connected incidents were assigned to criminal insiders.
- 14% of the insider-linked incidents were attributed to user credential theft.
- The number of insider-associated incidents increased by 47% in two years.
- Organizations spend an average of $755,760 on each insider-connected incident.
These attacks are hard and tricky to detect because the threat actor has authorized access to the company’s system and data. That is because an employee needs access to resources such as email, cloud apps, or network resources to do their duty successfully.
Depending on the nature of the job, some employees will also need to access sensitive data like financials, patents, and customer information.
Because the threat actor has legitimate logins and access to the company’s system and data, many security products would tag the behavior as usual and not trigger any alerts. These threats become more difficult to detect as they become more complicated. For instance, a threat actor could do lateral movement to hide their tracks and access invaluable targets.
Why Insider Threats Are Dangerous
1. Data Leak
A data leak is when sensitive information is accidentally exposed, which makes it effortless for cybercriminals to collect and use it for malicious purposes. Data leaks are extremely harmful to organizations because they may not even notice the leak for several days or even months. Typically, these leaks place all of a company’s sensitive data at risk, including their customer’s PII (personally identifiable information).
2. Data Breach
A data breach is when a cybercriminal or employee steals a sensitive piece of information without the authorization of the owner or organization who owns the data. Similar to the data leak, organizations may not notice a data breach until after days or months have passed. It provides enough time for cybercriminals to utilize the breached data for malicious activities.
3. Financial Losses
According to the Soft Activity report, over the last two years, insider incidents have increased 47%, and the average cost of an incident was $15.38 million. Depending on the influence of the insider threat, the financial losses an organization suffers can vary.
4. Reputational Damage
A successful insider threat results in many organizations losing credibility, which then makes it more trouble for them to regain the trust of customers and partners. It leads to suffering financially and may even lead to an organization shutting down altogether.
5. Legal Repercussions
Insider threats can also lead to legal outcomes for organizations, especially if they don’t have procedures in place to safeguard their most valuable assets, like customer data. Legal consequences are highly expensive, which may cause an organization to lose a huge amount of money.
Real Examples of Insider Incidents
Yahoo
An insider threat incident hit Yahoo in May 2022. Qian Sang, a research scientist at the company, received a job opportunity from a revival called The Trade Desk. Minutes later, Sang downloaded about 570,000 pages of Yahoo’s intellectual property to his own devices, including data about Yahoo’s AdLearner product.
It took Yahoo numerous days to realize that Sang had stolen the company’s data, along with the competitive analysis of the trade Desk. Yahoo sent a cease-and-desist letter and carried three charges against him, including intellectual property data theft, demanding that Sang’s actions deprive Yahoo of exclusive control of its trade secrets.
Microsoft
In 20222, Microsoft suffered from a data leak due to employee carelessness. Cyber security firm spiderSilk found out the leak, many Microsoft employees disclosed their login information to the company’s GitHub infrastructure. These credentials could allow access to Azure servers and also other internal Microsoft systems.
Microsoft refused to reveal which system these credentials are protected. An undercover investigation determined no one tried to gain access to the sensitive data, and the company took action to prevent this from happening again. However, if the inaccuracy exposed EU customer information, Microsoft could have faced a GDRP fine of a minimum €20 million.
Proofpoint
In July 2021, Samuel Boone, an ex-employee of Proofpoint, stole confidential sales enablement data right before starting a job at Abnormal Security, a competitor. Unfortunately, Proofpoint’s DLP ( Data Loss Prevention) solution could not obstruct the employee from downloading extravagant documents to a USB drive.
It took several months to discover that Boone had taken these files. By that time, Boone could have made significant progress in sales at Abnormal Security. Proofpoint take legal action against Boone in federal court for illegally sharing battle cards that could give him and his new employer an unfair benefit.
Coca-Cola
The Coca-Cola Company announced a data breach in 2108. A former worker was found to have an external hard drive that contained stolen data from Coca-Cola.
Coca-Cola issued data breach notices to about 8,000 individuals whose personal details were included in computer files that an ex-employee took with him when he resigned from the company.
Amazon
In October 2021, a few Amazon workers were responsible for leaking customer data, including email addresses, to an autonomous third party. This behavior breaks company policies. The company fired these workers and handed them over to law enforcement. Amazon never disclosed how many customers were affected.
Ubiquiti
Ubiquiti is one of the well-known worldwide producers of wireless communication devices. The company had a malicious insider among its workers. Nickolas Sharp stole gigabytes of company data and tried to blackmail his employer.
Nickolas Sharp used his cloud admin credentials to copy and steal confidential data. He attempted to hide his activity and changed log detain policies so his identity would remain anonymous. When he successfully achieved the data, he demanded $2 million from Ubiquiti in exchange for the returns of the data. However, the company refused to pay, found him, and reset all the employee’s credentials.
In January 2021, Ubiquiti released a data breach notification, and Nickolas Sharp was arrested for data theft and blackmailing.
How to Detect Insider Threats
Insider threat discoveries lead to unique challenges for security teams because traditional defenses like firewalls and access control are often worthless. Technologies related to User Behavior Analytics (UBA) and Privileged Access Management (PAM) can assist in filling the gap where other controls can not. Be on the outlook for several warning signs that may be significant for insider attacks or threats.
Digital Warning Indications
- Downloading and accessing heavy amounts of data
- Accessing sensitive data not related to their duty function
- Accessing data that is unfamiliar with their unique behavioral profile
- Multiple requests for access to resources not connected with their work function
- Using unauthorized storage devices such as USB drives or floppy disks.
- Network crawling and searching for sensitive information.
- Data hoarding or copying files from delicate folders
- Emailing delicate data outside the company.
Behavioral Warning Indications
- Changes in behavior.
- A high amount of stress or job disappointment.
- Try to bypass security.
- Frequently in the office after duty hours.
- Displays disgruntled behavior toward coworkers
- Violation of organization policies.
- Discussions of resigning or talking about new opportunities.
- Unexpected lifestyle changes, boasting about wealth.
How To Stop Insider Threats
These threats can be prevented by regularly monitoring user activity, obtaining real-time insights into network activity, and taking action immediately when a security incident happens.
This threat stoppage relies on the following steps security event process:
Detect and Investigate
Organizations need to be sharp to detect malicious, suspicious, or unusual activity on their systems. Threat detection involves having real-time insight into user credentials. Like when and where users have signed in to the corporate network and the location they have accessed it from. Once the insider threats have been disclosed, organizations are required to be able to investigate them swiftly. There is no advantage in detecting unusual activity but not investigating it until many days after the event. The attacker will likely have surged their privileges and carried out their attack.
Prevent and Protection
When it has been revealed that the suspicious activity is malicious or unauthorized, companies need to prevent users from getting access to their systems and networks. However, organizations need to safeguard their users and devices by applying security policies and protecting their data. Critical assets, like facilities, people, technology, intellectual property, and customer information, need to be protected at all costs with the appropriate levels of access rights and privileges.
Policies are necessary to be documented, and all workers must be aware of the security procedures they obey, their data privileges, and their intellectual property rights. However, this step is crucial to complying with increasingly strict data privacy regulations.
Final Verdict
Insider threats and attacks result in fundamental losses for businesses. But with accurate security instruments, technology, and strategies, companies can prevent themselves from these threats. Organizations must promote a cybersecurity culture, use network security instruments and zero-trust to prevent the risk of these threats and build up their strong security infrastructure.