Insider breaches — those caused by employees and leaders within an organization — are among the costliest and hardest to detect of all data breaches. Two-thirds of total data records compromised in 2017 were the result of inadvertent insiders, according to the “2018 IBM X-Force Threat Intelligence Index,” and insider threats are the cause of 60 percent of cyberattacks. Meanwhile, misconfigured cloud servers and networked backup incidents caused by employee negligence collectively exposed over 2 billion records last year.
While organizations focus significant resources on the mitigation of external threat actors, insider risks are likely to pose an even greater financial threat to the enterprise. According to the Ponemon Institute’s “2018 Cost of Insider Threats” report, the average cost of insider-caused incidents was $8.76 million in 2017 — more than twice the $3.86 million global average cost of all breaches during the same year.
Traditional approaches to managing insider threats have focused extensively on the use of awareness training and access governance to reduce risks. While these activities are critically important, they’re likely not enough to mitigate all types of employee risk. Humans are enormously variable and failing to account for all types of insiders could result in costly security incidents.
The Five Types of Insider Threats
The inadvertent insider, the most common form of insider threat, is responsible for 64 percent of total incidents, according to Ponemon, while criminal behaviour comprises 23 percent of incidents. Human risks are more complex than simple negligence and malicious intent, however.
Inadvertent insiders include both employees who don’t respond to training and those who create error through mistakes such as misconfigured cloud networks. Within the criminal category, there are instances of collusion, long-term malicious behaviour and sabotage. A thorough understanding of the following five distinct categories of insider risk is essential for security teams to develop comprehensive safeguards.
A small but significant percentage of the employee population is made up of nonresponders to awareness training exercises. While these users may not intend to behave negligently, they’re among the riskiest members of the population since their behaviours can fit consistent patterns. In 2017, Verizon found that an average 4.2 percent of people targeted in any given phishing campaign will click the malicious link. Individuals with a strong history of falling prey to phishing campaigns are most likely to be phished again.
While employees who consistently behave in insecure ways are generally a minority of the populace, the total impact of employee mistakes is staggering. Ponemon research found that 63 percent of incidents recorded last year were caused by all categories of negligence.
2. Inadvertent Insiders
Simple negligence is the most common form of insider threat, and also the single most expensive category of employee risk. Insider threats who fit this category might generally exhibit secure behaviour and comply with policy but cause breaches due to isolated errors. Basic misjudgement — such as storing intellectual property on insecure personal devices or falling for phishing schemes — caused two-thirds of breached records in 2017, according to the X-Force report.
Threat actors are increasingly savvy to the vulnerabilities caused by inadvertent insiders. X-Force analysis of the most common criminal tactics used to exploit employee error in the last year revealed several patterns:
Thirty-eight percent of external actors attempted to trick users into clicking a malicious link or attachment.
Thirty-five percent of external risks were attempts at man-in-the-middle (MitM) attacks.
Twenty-seven percent of external threats attempted to exploit misconfigured servers.
3. Insider Collusion
Insider collaboration with malicious external threat actors is likely the rarest form of criminal insider risk, but it’s still a significant threat due to the increased frequency of attempts by professional cybercriminals to recruit employees via the dark web.
One study by Community Emergency Response Team (CERT)placed the frequency of collusion, including insider-insider collusion, at 48.32 percent of all insider-caused incidents. Insider-outsider collusion, meanwhile, comprised 16.75 percent. These incidents took several forms:
About 37 percent of incidents involved fraud.
About 24 percent of incidents involved intellectual property theft.
About 6 percent of incidents involved combined fraud and theft.
According to the same source, insider-caused incidents, which include collusion, are among the costliest categories of a breach and may take four times longer to detect than incidents caused by insiders who fly solo.
4. Persistent Malicious Insiders
Most commonly, criminal insiders exfiltrate data or commit other malicious acts with the goal of financial rewards or other personal gain. A Gartner study on criminal insider threats found that 62 percent of insiders with malicious intent are categorized as “second streamers,” or people seeking a supplemental income. Seniority had little correlation with this category of behaviour. Just 14 percent of persistently malicious insiders were in a leadership role and approximately one-third had sensitive data access.
So-called “second streamers” may exhibit sophistication in remaining undetected to maximize the personal benefits of data theft. This group of individuals may exfiltrate data slowly to personal accounts to avoid detection, instead of completing large data exports which could raise flags in traditional network monitoring tools.
5. Disgruntled Employees
As a final category of criminal insiders, disgruntled employees who commit deliberate sabotage or intellectual property theft are also among the costliest risks to an organization. The Gartner analysis of criminal insiders found 29 percent of employees stole information after quitting or being fired for future gains, while 9 percent were motivated by simple sabotage.
Disgruntled employees can fit many behavioural sub-patterns. Some frustrated employees may start digging for information access without specific goals. Other employees may have very specific data intent from the moment they give two weeks’ notice and set out to sell trade secrets to competitors.
Detecting and Responding to Patterns of Risk in Human Behavior
Human endpoints are likely among the greatest security risks in the enterprise, but insider threats are variable. There’s no single approach which can mitigate all categories of employee risk. Awareness training doesn’t account for individuals who are non-responders to education or searching for a second income stream.
There’s no complete patch for human endpoints. Increased awareness of human threats and tools for behavioural analytics are likely the best way to safeguard against the significant range of insider threats within the enterprise.
Start with Data Protection
The most valuable data and systems in the enterprise are the most vulnerable to any category of insider threat, including risks created by both negligence and criminal intent. To create transparency, organizations should discover and classify at-risk assets. Ongoing monitoring and cognitive analytics can safeguard intellectual property and sensitive data records against all categories of cybersecurity threat.
Adopt Behavioural Analytics
While each employee on a network behaves in deeply individual ways, changes in an individual’s patterns can predict risk. Artificial intelligence and behavioural analytics are exceptional tools for detecting risks in subtle patterns of workplace habits and information consumption. User behavioural analytics can mitigate all categories of insider threat with deep analytics to predict risk propensity.
Assign Risk Scores
Cognitive applications for behavioural analytics can assign risk scores to proactively identify potential insider risks before a breach has occurred. When employees are at heightened risk for error or criminal bahaviour is identified, organizations can respond with mitigating controls, heightened access management or, in extreme cases, account quarantine to prevent data loss.
One of the greatest safeguards against both insider and external actor threats is strong security hygiene to address basic vulnerabilities in enterprise security. Maintaining continual compliance can facilitate transparency and data protection around critical assets. Patching and network monitoring can reveal compromised systems or employee threats from the moment they occur, not months after the incident.
Mitigating Internal Threats
While ransomware, cryptojacking and other external threats are among the most widely-discussed enterprise security risks, insiders are the cause of the statistical majority of data breaches. Negligence, criminal insiders and stolen credentials were linked to the majority of lost records last year. X-Force research reports a 5 percent year-over-year increase in the frequency of insider threats.
Understanding the enormous variation in human behaviour is important in creating adequate safeguards against insider risks. With tools for compliance, data protection and user behavioural analytics, it’s possible to proactively protect against both inadvertent error and criminal intent within the network.