Oct 09 2020

Insider Threat Security: Is Your Business at Risk?

Factors that lead to insider threats include the technical and the human — and prevention is key.

Organizations spend a lot of money trying to fortify their outer moats, working to prevent security threats from breaching the perimeter. But other risks lurk within those walls, risks that can prove intensely damaging to the broader organization — a threat that warrants extra attention during Cybersecurity Awareness Month.

These problems are widespread and costly. A recent study from the Ponemon Institute, ObserveIT and Proofpoint found that the average cost of insider threats among the organizations it surveyed was $11.45 million in 2020 — a 31 percent increase from 2018. A majority of these threats are unintentional and not malicious in nature, but they can still deeply harm companies.

Tom Price, managing director of operations, technology and business continuity planning for the Securities Industry and Financial Markets Association, says that such attacks can be destabilizing for organizations such as the financial firms his group represents.

“There is likely no greater threat to financial stability than a large-scale cyber event, and we see ever-increasing numbers of cyberthreat incidents,” he said. “In fact, more than 30 percent of all cyber incidents today are caused by malicious insiders, or unintentionally by employees or contractors.”

What’s the best way to avoid this damage? Understand that you have a problem and take the steps you can to mitigate it.

What Is an Insider Threat?

An insider threat is a security issue that comes from inside of an organization that threatens a business’s security, monetary assets or information. They can be unintentional (such as putting sensitive data on a cloud service intended for personal use) or malicious in nature. The result can be costly and difficult to repair.

Ryan Kalember, executive vice president of cybersecurity strategy for Proofpoint, notes that insider threats often represent a mixture of technical and human concerns, which means that it’s an issue that is often managed across disciplines.

“Making sure that you have an alignment between what the cybersecurity team might be looking for as well as what the HR team might is always incredibly valuable,” he says.

Insider threats are a widespread problem, and fighting these threats is an area of emphasis for a number of industries, but the financial field in particular has taken steps to raise its guard.

SIFMA, a trade group that represents banks, asset management firms and the securities field, has released an in-depth best practices guide that can apply to any industry looking to keep information and assets secure.

“[U]nlike in a general cybersecurity program, every component in an insider threat mitigation program must have a distinctly human element,” the SIFMA guide states. “While external cybersecurity threats can often be prevented or detected primarily through technical tools, those technical tools are insufficient to prevent many insider threats.”

READ MORE: Learn how to detect and respond to cybersecurity attacks faster.

Different Types of Insider Threats

Insider threats can vary widely in nature. The Ponemon Institute report lays out three primary types:

  • A contractor or employee who is careless or negligent
  • An unscrupulous insider who acts criminal or malicious
  • A credential thief, or someone impersonating an employee

Of these, the first example is by far the most common, representing 62 percent of the insider threats studied in the report. It is less common that employees act with criminal or malicious intent, though there have been high-profile cases of workers taking confidential information with them when they leave an organization.

These threats are not isolated and can vary widely in scale. The Ponemon Institute’s research found that 60 percent of the organizations it surveyed had more than 30 incidents per year. While some incidents can be managed quickly, others can take more than two months to mitigate, according to the report.

Insider Threat Vulnerability Indicators

Much like everything else regarding insider threats, uncovering potential vulnerabilities requires looking at both the technical and the human aspects. From a technical standpoint, Proofpoint’s Kalember says that it’s important to take steps to track organizational data for signs of a potential problem.

“You never want to be in a situation where you think something’s happened but you don’t have the data to prove it,” Kalember says. “That is the single most important principle: Understand how to capture what users are doing with the data that ultimately matters to the organization.”

He warns, however, that the shifting nature of work around COVID-19 has changed the dynamic of vulnerability detection, making problems harder to detect than in the past. This means prevention tactics are even more essential.

MORE ON SECURITY: Discover best practices for preventing videoconference security risks.

“Certainly, pre-March, you might have assumed that most of that was viewable in something like network traffic,” he said. “Now, a lot of people are working from home, and it is no longer the case. Most of the time, you have a user going from a cable modem straight to a cloud application.”

The SIFMA best practices guide lays out a variety of factors that can indicate vulnerability due to a staff member. In terms of malicious actions, coworker disputes or suspicious behaviors such as failed login attempts can point to issues that may create a potential for insider threats. Organizationwide shifts, like a merger or other major change, can cause stress, which can also lead to potential problems.

COVID-19 is a prime example of such a shift, Kalember says: “There are all kinds of stresses that didn’t previously exist — economic, with the work environment and otherwise — that have really created the perfect set of conditions for these problems to grow.”

How Businesses Should Respond When There Is a Problem

Insider threats are often frustrating and cost a lot of time and money to resolve, making prevention a primary goal.

The SIFMA guide recommends building an insider threat team to help mitigate risks throughout the organization using staff resources such as executive managers and human resources departments. It also recommends using technical tools and resources for defining risks, such as the National Institute of Standards and Technology’s Cybersecurity Framework.

SIFMA’s Price emphasizes the importance of creating structured guidelines to help build compliance and help prevent insider threats.

“Firms must have cross-functional insider threat capabilities in place that allow for leveraging benchmarks, guidelines and industry best practices to ensure resilient programs, while also reflecting legal considerations and employment and privacy laws so firms can maintain and improve compliance while monitoring insider behavior for potential risks,” he says.

Kalember notes that there are technical solutions to help manage and detect threats, and it’s ultimately important to combine these with more practical solutions.

“Before you really get into a complex, technology-oriented viewpoint where you’re going to establish a behavioral baseline and use machine learning to figure out deviations from that baseline, there’s a whole lot of really straightforward things that are worth looking for that almost every enterprise environment will probably find,” he said.

Viktoriia Hnatiuk/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT