Insider Threats in Cybersecurity: A Persistent Problem
Much of the discourse (and dollars) in cybersecurity focuses on creating stronger barriers against external malicious hackers. Firewalls, intrusion detection systems and robust encryption protocols all aim to shield companies against outside threats.
But a significant and sometimes overlooked aspect of cybersecurity is that the danger isn’t always from the faceless hacker half a world away; it’s often someone close to your company with access to systems or in-depth knowledge of your operations.
What Are Insider Threats in Cybersecurity?
The threat insiders pose in cybersecurity is due to their knowledge of and/or access to your network and systems, which can enable them to cause harm intentionally or out of negligence. Insiders include current or former employees, contractors or even business partners. A wide variety of harmful outcomes from insider threats include data breaches, intellectual property theft, disruption of key business services, financial fraud, espionage, loss of competitive advantage and operational setbacks.
To better understand insider threats, here is a more granular breakdown of different types of threats:
- Malicious attacks carried out by insiders with the intention to willingly harm your company. Possible motives here include disgruntled current or past employees, monetary gain, ideological reasons, or even being in the services of a foreign government or key competitor.
- Negligent and accidental actions by insiders, such as sending confidential data to the wrong email address, using easily guessable passwords, or not securing a cloud storage bucket that result in data leaks or pave the way for external hackers to breach your defenses.
- Third parties like vendors, contractors, etc., who have access to your systems that they either use for malicious purposes or indirectly affect your company as a result of them being compromised.
Real-world Incidents Caused by Insider Threats
There’s perhaps no better way to illuminate the risks posed by insiders than reviewing some real-world cybersecurity incidents caused by insider threats.
Sabotage of electronic shipping records
In 2020, during the height of the Covid pandemic, an employee at a medical packaging company lost his job. A few days later, the disgruntled former employee logged into the company’s systems via a fake user account he had created while employed there. The actions he took were to edit approximately 115,581 electronic shipping records and delete 2,371 of those records. These erasures led to delays in delivering crucial PPE (personal protective equipment) to healthcare providers.
Unsecured AWS bucket
In an example of a negligent insider threat from 2023, an employee at UK outsourcing firm Capita left an AWS cloud storage bucket completely unsecured and accessible to anyone with the link on the public internet. The bucket contained benefits data on residents in a southeast England city council.
Illegally selling VoIP licenses
A former employee and two former resellers working with American multinational technology company Avaya illegally sold VoIP licenses with a value of $88 million. The employee in question was a sysadmin for the company, and he abused those privileges to generate license keys that he sold to the resellers. The resellers then sold those forged licenses for a significantly lower cost than their market value. Tiered licenses for Avaya IP office unlocked premium features like voicemail and unlimited telephones.
Some statistics shed further light on the problem of insider threats in cybersecurity:
- Part of the difficulty with stopping insider threats is that paltry proportions of most cybersecurity budgets get allocated to this risk—88% of companies devote 10% or less of their IT security budgets to mitigating insider threats.
- 77% of organizations across U.S. critical national infrastructure reported a rise in insider threats from 2020 to 2023, with an average of one intentional malicious act by an employee every other week.
- Three-quarters of company respondents feel their organization is moderately to extremely vulnerable to insider threats.
Insider Threat Mitigation Tips
It might sound somewhat understandable that companies don’t spend too much on insider threats since it can feel challenging to stop these incidents. After all, these threats stem from people who already have garnered trust, access to and knowledge of your internal IT systems. But there are still some crucial mitigation measures worth considering:
- Deploy data loss prevention (DLP) solutions to monitor and control data transfers. These tools and their features help to protect against unauthorized data exposure or leakage.
- Regularly review and update identity and access permissions. Ensure that employees’ access rights match their current job responsibilities and that no orphaned user accounts exist on your network.
- Implement the principle of least privilege (PoLP) to ensure that employees have access only to the data and systems they strictly need for their roles.
- Use tools like UEBA to monitor and analyze user behavior and detect unusual patterns that might indicate malicious or negligent activity.
- Run regular security training sessions to educate employees about the risks of insider threats and highlight the importance of practicing good security hygiene.
- Have a clear offboarding process and immediately revoke access to company resources and data when an employee leaves.
- Ensure that third-party vendors, contractors and partners who have access to your systems undergo rigorous security vetting and follow your security protocols.
- Have a clear plan for responding to insider threats because the longer the response takes, the costlier these incidents become. This plan should include steps for containment, investigation, communication and recovery.
- Secure employee endpoints and ensure they’re regularly updated with the latest patches. Nuspire’s managed endpoint detection and response (EDR) service offers a proactive approach to detecting and responding to threats at the endpoint level, which makes for a valuable tool in your fight against insider threats. Our EDR service provides experts with the ability to continuously monitor endpoint activities, whether those endpoints are fixed or mobile. Visibility into all managed endpoints ensures that there are no blind spots where insider threats can operate undetected.
