When companies think of cybersecurity threats, they mostly think of external attacks. However, insider threats are of significant importance. Here, Matt Lindley, CISO, NINJIO, discusses how companies can train employees and protect themselves from insider cybersecurity threats.
When most people think about cybersecurity, images of cybercriminal syndicates or lone wolf hackers come to mind â€” external threat actors who want to infiltrate a company or organization. While attacks launched by outsiders are certainly common, this perception overlooks what should be a top priority for any organization trying to improve its cybersecurity posture: insider threats. Cyberattacks caused by insiders (such as employees) can be especially dangerous, as these individuals often have privileged access to secure networks.Â
Although some employees actively want to harm their companies, it is important to remember that insider threats do not always involve malicious intent. For example, employee negligence can lead to unauthorized data sharing or credential theft, which gives threat actors a foothold in the company. Then there are insiders who are not planning to facilitate a cyberattack but are recruited by a cybercriminal organization to provide access in exchange for payment. Schemes like this successfully turn many employees into insider threats every year.Â
There are many types of insider threats, and they are capable of causing immense financial and reputational harm. However, because insider threats are directly related to human behavior, they can all be prevented. By educating employees about the severe consequences of enabling an insider attack, encouraging them to report suspicious activity, and creating a culture of cyber awareness, companies can drastically reduce the risk of insider threats.Â
Insider Threats Take Many Forms
Insider threats are particularly insidious because they encompass a wide range of behaviors and motives. The U.S. Cybersecurity & Infrastructure Security Agency (CISA) definesOpens a new window insider threats as â€œmalicious, complacent, or unintentional acts that negatively affect the integrity, confidentiality, and availability of the organization, its data, personnel, or facilities.â€ Security awareness training (SAT) can address all these problems at once, from teaching employees best practices for data management, credentials, and secure communications to establishing cultural norms around reporting suspicious activity.Â
Whether an employee is consciously providing confidential information to cybercriminals or turning off safety protocols like multi-factor authentication, insider threats always involve a human element. While the thought of an employee intentionally damaging the company is disturbing, it is also vital to recognize how many insider incidents result from mistakes and oversights. According to a 2022 Ponemon Institute reportOpens a new window , 56% of insider attacks are caused by â€œemployee or contractor negligence.â€ Considering the huge direct financial and reputational costs involved and the lost time and productivity resulting from successful insider attacks, it is crucial to be on guard against insider threats and the negligent employee behaviors that make them more likely.Â
Companies cannot afford to ignore any type of insider threat, which is why they have to implement a cybersecurity platform that establishes a robust training program, provides clear reporting mechanisms, and generates organizational alignment around keeping the company safe.Â
Companies Face More Insider Threats Than Ever
Over the past several years, it has become increasingly clear that insider threats pose a unique challenge for companies. The Ponemon Institute foundOpens a new window that the total average annual cost of insider incidents is $15.4 million, while it takes organizations an average of 85 days to contain these incidents. This is up from 77 days in a previous study, while credential theft (a common element of insider attacks) almost doubled over the same period.Â
What’s even more unsettling than the fact that insider attacks have become more common is the disproportionate harm they can cause. According to the 2022 Verizon Data Breach Investigations ReportOpens a new window (DBIR), the â€œmedian size (as measured in the number of compromised records) for an insider breach exceeded that of an outsider by more than 10 to oneâ€ â€” 375,000 versus 30,000. These numbers are especially alarming considering the fact that half of the organizations have suffered an insider attack, and the frequency is on the rise.Â
Cybercriminals have always deceived employees so that they can infiltrate companies, steal data, and launch attacks on digital infrastructure. This is because social engineering is relatively cheap, has low barriers to entry (in terms of technical sophistication), and remains shockingly effective. As insider threats become more common and destructive, companies must remember that cybercriminals are not just trying to trick and coerce employees â€” they are also offering payment for access to sensitive information. They are using every tool to manipulate people into helping them break through companies’ defenses, and all employees need to be on their guard.
How Can Companies Protect Themselves From Insider Threats?
The most recent DBIR found that 82% of breaches involved a human element â€” a reminder that cybersecurity training has never been more essential. As the report states: â€œAdditionally, malware and stolen credentials provide a great second step after a social attack gets the actor in the door, which emphasizes the importance of having a strong security awareness program.â€Â
Effective CISOs recognize that cybersecurity is everyone’s responsibility, which is why an engaging SAT program is critical. Beyond learning about how to identify potential cyberattacks in real-time, employees need to know how to report suspicious activity, such as the presence of unauthorized devices or disabled multi-factor authentication. One of the CISO’s core responsibilities is developing a culture of cybersecurity. This requires buy-in at every level of the company, from the rest of the C-suite to all managers to employees across departments and teams. A culture of cybersecurity will also help employees see how severe the consequences of insider attacks can be. This ranges from the exposure of sensitive information (which could lead to identity theft or other forms of fraud on a mass scale) to devastating financial and reputational costs for the company to the possibility of huge fines and even imprisonment.Â
As with so many types of cyber risk, insider threats are all about people, from the employees who facilitate attacks (whether out of malice or negligence) to the employees who are capable of identifying and preventing those attacks. With a robust SAT platform in place, potential threat actors will think twice before working with cybercriminals to put their colleagues, customers, and companies at risk.